Skip navigation

Curious Traffic from Firewall

709 Views 3 Replies Latest reply: Nov 1, 2012 11:51 AM by Verlorenen RSS
Verlorenen Calculating status...
Currently Being Moderated
Oct 24, 2012 10:18 AM

Good Day,

 

I am noticing large chunk of traffic to a subnet that should not exist. We are running EVERYTHING in the 10.0.0.0/8 subnet. We have NOTHING in the 172.16.0.0/12 or 198.168.0.0/16 subnets. That being said, we are noticing traffic that looks to be going OUT from our servers. I say that based on what I can find with other traffic and a black hole route on both our VOIP router and on our data router. There are 8 X-Serves, 4 high(ish) end Mac Minis, then far too many iMacs. This is the most active one, but 6 of the 12 look similar. The unique thing is the broadcasts seems to be from here. This one has 0.0.0.0:68 255.255.255.255:67.

 

Relevant Info:

SERVER is 10.X.Y.19 (OS X 10.6.8)

  • AFP
  • Firewall
  • Open Directory (Replica)

 

ANOTHERSERVER is 10.X.Y.13 (OS X 10.5.8)

  • AFP
  • Firewall
  • Open Directory (Replica)

 

ANOTHERSERVER2 is 10.X.Y.10 (OS X 10.6.8)

  • AFP
  • Firewall
  • Open Directory (Replica)
  • SMB

 

Firewall log spam inc

 

Oct 24 11:30:15 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59377 172.16.1.40:3283 out via en0

Oct 24 11:30:16 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59378 172.16.1.97:3283 out via en0

Oct 24 11:30:16 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59379 172.16.1.40:3283 out via en0

Oct 24 11:30:16 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59380 172.16.1.97:3283 out via en0

Oct 24 11:30:25 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59381 172.16.1.97:3283 out via en0

Oct 24 11:30:25 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59382 172.16.1.40:3283 out via en0

Oct 24 11:30:26 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59383 172.16.1.40:3283 out via en0

Oct 24 11:30:26 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59384 172.16.1.97:3283 out via en0

Oct 24 11:30:45 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:36:07 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:38:12 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:43:28 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:44:13 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:44:43: --- last message repeated 1 time ---

Oct 24 11:45:46 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:47:04 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:47:38: --- last message repeated 1 time ---

Oct 24 11:47:38 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:48:15 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:50:54 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:52:02: --- last message repeated 1 time ---

Oct 24 11:54:52 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:55:14 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59516 172.16.1.97:3283 out via en0

Oct 24 11:55:14 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59517 172.16.1.40:3283 out via en0

Oct 24 11:55:31 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:57:30: --- last message repeated 1 time ---

Oct 24 11:57:30 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59529 172.16.1.97:3283 out via en0

Oct 24 11:57:30 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59530 172.16.1.40:3283 out via en0

Oct 24 11:57:34 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:58:43 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

Oct 24 11:58:53 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59537 172.16.1.40:3283 out via en0

Oct 24 11:58:53 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59538 172.16.1.97:3283 out via en0

Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59539 172.16.1.40:3283 out via en0

Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59540 172.16.1.97:3283 out via en0

Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59541 172.16.1.40:3283 out via en0

Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59542 172.16.1.97:3283 out via en0

Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59543 172.16.1.40:3283 out via en0

Oct 24 11:58:54 SERVER ipfw[251]:  1020 Deny TCP 10.X.Y.19:59544 172.16.1.97:3283 out via en0

Oct 24 11:59:45 SERVER ipfw[251]:  65534 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via en0

 

The rest of the servers have entries similar to:

Oct 23 07:02:58 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 23 07:03:28: --- last message repeated 3 times ---

Oct 23 16:23:44 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 24 07:06:41 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 24 07:07:11: --- last message repeated 1 time ---

Oct 24 07:08:09 ANOTHERSERVER ipfw[15647]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 24 07:08:39: --- last message repeated 1 time ---

 

/////////////////////////////////////////////////

 

Oct 22 07:04:11 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 22 07:04:15 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 22 07:04:47: --- last message repeated 1 time ---

Oct 22 07:04:47 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 22 07:39:29 ANOTHERSERVER2 ipfw[197]:  1030 Deny TCP 172.17.117.10:1053 10.X.Y.10:139 in via en0

Oct 22 16:43:42 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 23 07:02:56 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:137 10.X.Y.10:137 in via en0

Oct 23 07:02:56 ANOTHERSERVER2 ipfw[197]:  1030 Deny TCP 172.17.117.10:1031 10.X.Y.10:139 in via en0

Oct 23 07:02:58 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 23 07:13:34: --- last message repeated 3 times ---

Oct 23 07:28:41 ANOTHERSERVER2 ipfw[197]:  1030 Deny TCP 172.17.117.10:1054 10.X.Y.10:139 in via en0

Oct 23 16:23:44 ANOTHERSERVER2 ipfw[197]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 24 07:06:41 ANOTHERSERVER2 ipfw[192]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 24 07:08:09: --- last message repeated 1 time ---

Oct 24 07:08:09 ANOTHERSERVER2 ipfw[192]:  1030 Deny UDP 172.17.117.10:67 255.255.255.255:68 in via en0

Oct 24 07:08:39: --- last message repeated 1 time ---

Oct 24 07:28:55 ANOTHERSERVER2 ipfw[192]:  1030 Deny TCP 172.17.117.10:1054 10.X.Y.10:139 in via en0

 

Can anyone offer any insight into similar issues or able to point out where else to check? I did some basic checksumming across the commonly used tools that can require authentication (cp, chmod, chown, sudo, sh) and had a few checksums that were drastically different. This is somewhat creepy, but without the intimate knowledge of upgrading Mac OS X Server clients, I am not totally alarmed.

 

As stated above, the 172.16.0.0/12 cannot route (due to the black hole route on both routers) but plenty of connections seem to be going OUT from the server. Is this indicative of some form of infectious nastiness or is there some Apple service(s) that I should look for to stop this traffic?

 

Thank you in advance! If I missed anything, can clarify, or add anything...PLEASE LET ME KNOW! :-D

 

Message was edited by: Verlorenen (Saved too soon, sorry)

Xserve, Mac OS X (10.6.8)
  • Some Dude Calculating status...
    Currently Being Moderated
    Nov 1, 2012 9:53 AM (in response to Verlorenen)

    Verlorenen,

     

    Your Port 67 and 68 traffic is likely because someone is trying to pull a DHCP address from your server(s).  Are they used as DHCP servers??  I suspect not, but someone clearly is trying to pull an address from them.  Reference this:

     

    http://www.linklogger.com/UDP67_68.htm

     

    As for the other stuff, Port 1053 is a Remote Assistance port for Windows servers and is often used by a known trojan know as The Thief.  Now, with that in mind, it may be the case that some Windows machine/VM on your network, on the same IP network as the Mac servers, is infected, and the little malware that is installed is searching the network and trying to pull an IP via DHCP from anything/everything it can.  This might explain the port 67 and 68 traffic.  Many trojans do just that, whether it's a Windows trojan or others. Lastly, the 3283 traffic is Apple's Remote Desktop protocol, ARD in other words.  It seems someone on the .19 machine was trying to ARD to machines on the (apparently unusued) 172.16.x.x network.  I wouldn't be as concerned by that, as long as you keep ARD locked down well (perhaps changing cred's there might be in order just to be safer).

     

    My take-away from this though is this - do you have a network firewall?  You mention a router filter, that is not a firewall with all due respect.  I'd be curious to know if you utilize a perimeter firewall.  The reason I ask is there is no good reason that Port67 and 68 should ever even GET to the Apple servers, as long as they are truly not DHCP servers of course (your list of functions above doesn't list them, so I assume they are not).  But the point is, why rely on just the Mac host-based firewall to block this stuff, when it shouldn't have to.  A perimeter security firewall would automatically not allow ports like 67 and 68 inbound to the servers unless you explicitly poke a hole for that. Again, no reason to in your case, if they are indeed not DHCP servers. If you do indeed have a solid perimeter firewall, then I suspect this traffic is being generated internally on your internal network, and that is indeed cause for more concern.  Track it down, I'm betting you find a windows machine with a trojan on it.  Check all of them, including all Virtual machines anyone may be running.

     

    I hope some of this is helpful.  I would also of course want you to be ABSOLUTELY sure that noone there uses 172.17.117.10 legitimately at all. Sometimes, odd looking networks like that are used by SSL VPN solutions, or other small pools of IP's just for a very specific use that you might not be thinking of always.  But in any case, let us know what you find.

     

    -SomeDude

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.