abalg
10-18-2002, 03:58 AM
In our Network there are still a few Workstations running Win98. All of them show a strange behaviour in the network:
Looking through our firewall logs I noticed all of them are sending 3 ICMP Packages to the multicast-address 224.0.0.X in an intervall that ranges from 5-10 Minutes to some hours.
Scanning these computers for virusses with multiple scanners did not show any result. Obviusly these network packets are also sent in an early stage during system boot.
no one of these computers in running any software or bootroms or similar things that could send something like that.
Any Ideas what this could be ??? I'm totally clueless !
The packet filter does not tell me very much details, all I've got at the moment is for example something like that
Oct 18 08:26:21 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=512 PROTO=ICMP TYPE=10 CODE=0
Oct 18 08:26:31 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=768 PROTO=ICMP TYPE=10 CODE=0
Oct 18 08:26:35 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=1024 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:05:08 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=256 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:05:19 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=512 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:05:23 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=768 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:13:28 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=1792 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:13:39 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=2048 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:13:43 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=2304 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:36:50 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=256 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:37:01 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=512 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:37:05 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=768 PROTO=ICMP TYPE=10 CODE=0
Looking through our firewall logs I noticed all of them are sending 3 ICMP Packages to the multicast-address 224.0.0.X in an intervall that ranges from 5-10 Minutes to some hours.
Scanning these computers for virusses with multiple scanners did not show any result. Obviusly these network packets are also sent in an early stage during system boot.
no one of these computers in running any software or bootroms or similar things that could send something like that.
Any Ideas what this could be ??? I'm totally clueless !
The packet filter does not tell me very much details, all I've got at the moment is for example something like that
Oct 18 08:26:21 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=512 PROTO=ICMP TYPE=10 CODE=0
Oct 18 08:26:31 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=768 PROTO=ICMP TYPE=10 CODE=0
Oct 18 08:26:35 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=1024 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:05:08 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=256 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:05:19 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=512 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:05:23 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=768 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:13:28 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=1792 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:13:39 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=2048 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:13:43 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=2304 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:36:50 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=256 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:37:01 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=512 PROTO=ICMP TYPE=10 CODE=0
Oct 18 11:37:05 mailgate kernel: gShield (INVALID drop) IN=eth0 OUT= MAC=01:00:5e:00:00:02:00:04:76:e4:0b:79:08:00 SRC=192.168.2.131 DST=224.0.0.2 LEN=28 TOS=0x00 PREC=0x00 TTL=128 ID=768 PROTO=ICMP TYPE=10 CODE=0