Suspicious network activity

[ferp2]

Hi,

I started playing around with packet sniffers, namely dump running on my Gentoo gateway. Anyway I wanted to view traffic between the gateway and the various PCs on the subnet. When I looked at traffic between the gateway and a PC running Windows 98, I noticed the Windows PC sending a constant stream of packets:

./tcpdump -i eth1 host 192.168.0.3

17:15:40.627045 porta.domain > capnatur.1551: 57246[|domain] (DF)
17:15:40.635771 capnatur.1552 > porta.domain: 24+[|domain]
17:15:40.636351 porta.domain > capnatur.1552: 24[|domain] (DF)
17:15:40.637415 capnatur.1553 > mail-wol.libertysurf.net.smtp: S 2399979:2399979(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:43.613001 capnatur.1553 > mail-wol.libertysurf.net.smtp: S 2399979:2399979(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:44.525562 capnatur.1554 > porta.domain: 7086+[|domain]
17:15:44.526492 porta.domain > capnatur.1554: 7086 1/0/0 (49) (DF)
17:15:44.534647 capnatur.1555 > smtp.wanadoo.fr.smtp: S 2403877:2403877(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:44.612850 capnatur.1550 > mc2.bay6.hotmail.com.smtp: S 2395021:2395021(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:47.512390 capnatur.1555 > smtp.wanadoo.fr.smtp: S 2403877:2403877(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:49.612097 capnatur.1553 > mail-wol.libertysurf.net.smtp: S 2399979:2399979(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:53.511497 capnatur.1555 > smtp.wanadoo.fr.smtp: S 2403877:2403877(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:56.611015 capnatur.1550 > mc2.bay6.hotmail.com.smtp: S 2395021:2395021(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:15:59.572764 capnatur.1556 > porta.domain: 58344+[|domain]
17:15:59.573667 porta.domain > capnatur.1556: 58344 1/0/0 (50) (DF)
17:15:59.576142 capnatur.1557 > porta.domain: 29+[|domain]
17:15:59.576729 porta.domain > capnatur.1557: 29[|domain] (DF)
17:15:59.577819 capnatur.1558 > th04.ifrance.com.smtp: S 2418923:2418923(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:16:01.610254 capnatur.1553 > mail-wol.libertysurf.net.smtp: S 2399979:2399979(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:16:02.510085 capnatur.1558 > th04.ifrance.com.smtp: S 2418923:2418923(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
17:16:05.509633 capnatur.1555 > smtp.wanadoo.fr.smtp: S 2403877:2403877(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)

capnatur is the name of the Win98 machine. It's just sending these packets out constantly. Perhaps this isn't the best place to ask this sort of question, but I would like to get to the bottom of this problem. Maybe someone could recommend where I could get answers. I've run adaware and turned off all the userland programs but Win98 still spews out these packets nonetheless.

Thanks,

Mark

[davidblewett]

Here is a complete shot in the dark, but this

[smart]

No i don't think this has anything to do with WakeonLan.
Rerun your dump like this, wait a bit and we'll se what it gives.
tcpdump -A -i eth1 host 192.168.0.3 and dst port 25
It might be that your machine has become a spam zombie. We'll see.

[ferp2]

Thanks for your replies.

And thanks to tcpdump and my decision to start taking a look at my network activity, I discovered a worm on the sole Windows machine that I have, one that I would be only too happy to migrate to Linux if I could. After some more investigation, I discovered that my Win98 had a case of the netsky worm. As of now the problem has been dealt with, and I no longer find any strange activity coming from the Win PC. I sort of regret having sent this post since this was obviously a Windows problem, and didn't have anything to do with Linux or Gentoo.

smart:

You may have been right about the worm turning the WinPC into a spam zombie.

[Chris W]

Using Linux to solve Windows problems seems like a perfectly fine use of this forum. Glad you found it out.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein