I'm seeing quote a few of these messages in the modem/router log, all identical:
03/13/2008 18:35:37 **Smurf** 208.255.255.255->> 208.69.32.130, Type:3, Code:3 (from ATM1 Outbound)
Any ideas?
Take a look at this:
http://en.wikipedia.org/wiki/Smurf_attack
run to the hills
(http://i236.photobucket.com/albums/ff7/philipbennett/Impus_Art_Smurf_Attack.gif)
:rofl:
OK, so I'm being attacked... are there any steps I should take, other than standard AV & anti-spyware?
You should be safe, though the outbound troubles me a little. I'd certainly run a virus can and a couple of spyware sweeps if I were you.
done a quick google on 208.69.32.130 and it looks like it could be spyware
Certainly do a scan of the system to check for any nasties. :)
I schedule regular scans - nothing showing up on the scanners apart from the usual tracking cookies (using MS Defender, ZoneAlarm AV/Anti-spyware, AVG Anti-spyware).
Hi,
I'd run Spybot Search and Destroy and Adaware (both available from http://www.download.com) too. That way you should have missed nothing.
If you're still worried I'd check all the programs that autostart using Autoruns and scan the machine with RootKitRevealer (both available at http://www.sysinternals.com )
Good luck,
Paul.
Quote from: Rik on Mar 13, 2008, 19:46:00
You should be safe, though the outbound troubles me a little. I'd certainly run a virus can and a couple of spyware sweeps if I were you.
Does a virus can require a tin opener? ;D
Quote from: Simon on Mar 13, 2008, 21:58:40
Does a virus can require a tin opener? ;D
yes, but make sure you wear gloves :eek4:
Hey
Do you use opendns as your name servers?
Cheers
so
run nanoscan (http://www.nanoscan.com/) online
and never forget HijackThis (http://www.spywareinfo.com/~merijn/programs.php)
Quote from: somanyholes on Mar 13, 2008, 22:11:39
Do you use opendns as your name servers?
I tried it a while ago when I was having problems accessing some sites with Pipex, but when I set up IDNet I switched to the IDNet DNS addresses.
Thanks for all the security software suggestions - I'm going to be spending the rest of the week scanning my machine!
:rant2: What the smurf are you smurfing about, you gotta set it to be smurfable and enable backsmurf :thumb:
(If i'm talking rubbish I blame a smurf dream I once had ;D)
Hey
208.69.32.130 belongs to open dns. If you are definately not using opendns locally on your machines or on your router then it does look like you have unwanted code on your network. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
the app above will try to show you your tcp connections, look for any traffic going to 208.69.32.130 and see what ports it's using, it looks like it might be using nbt, which is used for file and printer sharing (445). The app may show you which application on your machine is trying to connect outbound.
Cheers
so
Nice thread, guys, thanks for all the input. :)
Quote from: somanyholes on Mar 14, 2008, 07:45:28
208.69.32.130 belongs to open dns. If you are definately not using opendns locally on your machines or on your router then it does look like you have unwanted code on your network. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
the app above will try to show you your tcp connections, look for any traffic going to 208.69.32.130 and see what ports it's using, it looks like it might be using nbt, which is used for file and printer sharing (445). The app may show you which application on your machine is trying to connect outbound.
I've checked all the tcp connections - no sign of 208.69.32.130. I blocked the URL with ZoneAlarm firewall, I've run all the scanners, and removed all unnecessary startup programs and services, and I still see a **Smurf** message about every 12 minutes - it still happened when I booted up in safe mode with networking...
I dunno...
As Alan suggested a few posts back, HiJackThis (http://www.merijn.org/files/HiJackThis_v2.exe) is a good tool. If you download that, run a scan, then post the log here, one of us will see if there's anything running that shouldn't be (I'm certainly familiar with HJT log files). It's usually quite a definitive way of knowing whether you have any malware.
Hey
Do you have more than one machine on your network (any laptops etc). If so the best way of sussing this out is to turn all but one off, keep checking for messages, then turn another one on with the rest off and see if you still get messages. This will help diagnose if it is one machine or another, or if it is nothing to do with any machines or your lan.
if there is just one machine on your lan, and you are getting these messages on your router still, turn your pc off for a while then back on again, and see if there are old log entries in rhe router during the period your machine was turned off.
Interesting - I rebooted again this morning, and now I'm not seeing the smurfs... looks like something I disabled was the culprit.
My network is rudimentary - 1 PC, 1 NAS, and a Squeezebox. I wasn't getting the smurfs when the PC was disconnected, so it was something on the PC.
I can now re-enable, one by one, stuff that will be useful, and see if the smurfs start up again.
I've downloaded HijackThis and got a log of the current PC state, so if they come back again, I can do a comparison.
Thanks for all the help and software suggestions, I'll let you know if the smurfs return and/or if I discover what was causing them ;-)
What a nice forum this is! ;D
We try - and some find us very trying. ;)
Glad you like the forum! Let us know if the smurf returns. :)
If he's singing that awful song, please don't tell us. ;D
I'll have you know I bought that Rik - absolutely loved it.
It must be something to do with Hoobism. :)
Well I found the source of the smurf messages - it wasn't the PC after all, it's the NAS, a Synology Disk Station 106e. The messages stopped when it was disconnected - I've verified this a couple of times. Now I've disabled all the optional network services on the Disk Station, but it's still smurfing every 12 minutes. I can only guess that it's what it does.
I'll see what they say on the Synology forums...
so what were the little blue men (that no one else can see) saying to you then, :crazy: you can tell me, I'm the Doctor :legpull:
Quote from: dlorde on Mar 15, 2008, 17:05:30
I'll see what they say on the Synology forums...
Let us know, will you. I'm intrigued now.
I wonder if it could be the router incorrectly identifying whatever the NAS is doing as a smurf attack.
That's entirely possible, of course. Life is so complicated. :stars:
Quote from: Sebby on Mar 15, 2008, 18:03:44
I wonder if it could be the router incorrectly identifying whatever the NAS is doing as a smurf attack.
I used to get smurf attacks being reported by my old router, I can't however remember the cause, but it was definitely something innocuous being misreported...
Quote from: scook94 on Mar 16, 2008, 20:01:03
I used to get smurf attacks being reported by my old router, I can't however remember the cause, but it was definitely something innocuous being misreported...
I've had no response from the Synology forums, but I'm pretty sure it must be something innocuous - there's nothing but standard software on there, and the single messages are only appearing about every 12 mins.
Such regularity suggests hardware rather than software to me.
It turned out to be an old SlimServer service still running, perhaps accessing SqueezeNetwork. When I deleted it and rebooted the Disk Station, the messages stopped :)
Thats good! Thanks for letting up know!
Quote from: dlorde on Mar 24, 2008, 20:16:21
It turned out to be an old SlimServer service still running, perhaps accessing SqueezeNetwork. When I deleted it and rebooted the Disk Station, the messages stopped :)
Excellent. :)
Yes, given the low frequency and regularity of the messages, it was unlikely to be an ICMP attack, and given that the Disk Station was the source, it was likely to be something running on it...
Despite my telling them that the messages were outgoing, regular, relatively infrequent, and clearly originated from the DS106e (I posted an example and gave them the timings), the Synology forum eventually replied to say:
"Our engineers believe you are experiencing a ICMP Attack, and is not originating from the DS106e. Please look <here> for further information."
<here> was a link to the WikiPedia article on ICMP attacks... <sigh>.
To say I'm disappointed with Synology 'engineers' is an understatement. You guys did better than that with commonsense, in a fraction of the time :laugh:
Commonsense beats scripts any day. :)
We try our best! ;D
aint all that common thesedays though :D