**Smurf** ?

dlorde · Mar 13, 2008, 19:36:40

I'm seeing quote a few of these messages in the modem/router log, all identical:

03/13/2008 18:35:37 **Smurf** 208.255.255.255->> 208.69.32.130, Type:3, Code:3 (from ATM1 Outbound)

Any ideas?

Rik · Mar 13, 2008, 19:37:59

Take a look at this:

http://en.wikipedia.org/wiki/Smurf_attack

Philip · Mar 13, 2008, 19:40:39

run to the hills

Rik · Mar 13, 2008, 19:43:54

dlorde · Mar 13, 2008, 19:44:38

OK, so I'm being attacked... are there any steps I should take, other than standard AV & anti-spyware?

Rik · Mar 13, 2008, 19:46:00

You should be safe, though the outbound troubles me a little. I'd certainly run a virus can and a couple of spyware sweeps if I were you.

Philip · Mar 13, 2008, 20:00:45

done a quick google on 208.69.32.130 and it looks like it could be spyware

Lance · Mar 13, 2008, 20:08:29

Certainly do a scan of the system to check for any nasties.

dlorde · Mar 13, 2008, 20:28:03

I schedule regular scans - nothing showing up on the scanners apart from the usual tracking cookies (using MS Defender, ZoneAlarm AV/Anti-spyware, AVG Anti-spyware).

Dangerjunkie · Mar 13, 2008, 21:17:57

Hi,

I'd run Spybot Search and Destroy and Adaware (both available from http://www.download.com) too. That way you should have missed nothing.

If you're still worried I'd check all the programs that autostart using Autoruns and scan the machine with RootKitRevealer (both available at http://www.sysinternals.com )

Good luck,
Paul.

Simon · Mar 13, 2008, 21:58:40

Quote from: Rik on Mar 13, 2008, 19:46:00
You should be safe, though the outbound troubles me a little. I'd certainly run a virus can and a couple of spyware sweeps if I were you.

Does a virus can require a tin opener?

Philip · Mar 13, 2008, 22:00:53

Quote from: Simon on Mar 13, 2008, 21:58:40
Does a virus can require a tin opener?

yes, but make sure you wear gloves

somanyholes · Mar 13, 2008, 22:11:39

Hey

Do you use opendns as your name servers?

Cheers

so

kinmel · Mar 13, 2008, 22:21:18

run nanoscan online

and never forget HijackThis

dlorde · Mar 13, 2008, 22:55:21

Quote from: somanyholes on Mar 13, 2008, 22:11:39
Do you use opendns as your name servers?

I tried it a while ago when I was having problems accessing some sites with Pipex, but when I set up IDNet I switched to the IDNet DNS addresses.

dlorde · Mar 14, 2008, 00:00:25

Thanks for all the security software suggestions - I'm going to be spending the rest of the week scanning my machine!

Mytheroo · Mar 14, 2008, 03:11:07

What the smurf are you smurfing about, you gotta set it to be smurfable and enable backsmurf

(If i'm talking rubbish I blame a smurf dream I once had

)

somanyholes · Mar 14, 2008, 07:45:28

Hey

208.69.32.130 belongs to open dns. If you are definately not using opendns locally on your machines or on your router then it does look like you have unwanted code on your network. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

the app above will try to show you your tcp connections, look for any traffic going to 208.69.32.130 and see what ports it's using, it looks like it might be using nbt, which is used for file and printer sharing (445). The app may show you which application on your machine is trying to connect outbound.

Cheers

so

Rik · Mar 14, 2008, 08:46:39

Nice thread, guys, thanks for all the input.

dlorde · Mar 15, 2008, 02:00:04

Quote from: somanyholes on Mar 14, 2008, 07:45:28
208.69.32.130 belongs to open dns. If you are definately not using opendns locally on your machines or on your router then it does look like you have unwanted code on your network. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

the app above will try to show you your tcp connections, look for any traffic going to 208.69.32.130 and see what ports it's using, it looks like it might be using nbt, which is used for file and printer sharing (445). The app may show you which application on your machine is trying to connect outbound.

I've checked all the tcp connections - no sign of 208.69.32.130. I blocked the URL with ZoneAlarm firewall, I've run all the scanners, and removed all unnecessary startup programs and services, and I still see a **Smurf** message about every 12 minutes - it still happened when I booted up in safe mode with networking...

I dunno...

Sebby · Mar 15, 2008, 11:01:06

As Alan suggested a few posts back, HiJackThis is a good tool. If you download that, run a scan, then post the log here, one of us will see if there's anything running that shouldn't be (I'm certainly familiar with HJT log files). It's usually quite a definitive way of knowing whether you have any malware.

somanyholes · Mar 15, 2008, 11:43:41

Hey

Do you have more than one machine on your network (any laptops etc). If so the best way of sussing this out is to turn all but one off, keep checking for messages, then turn another one on with the rest off and see if you still get messages. This will help diagnose if it is one machine or another, or if it is nothing to do with any machines or your lan.

somanyholes · Mar 15, 2008, 11:46:13

if there is just one machine on your lan, and you are getting these messages on your router still, turn your pc off for a while then back on again, and see if there are old log entries in rhe router during the period your machine was turned off.

dlorde · Mar 15, 2008, 12:05:02

Interesting - I rebooted again this morning, and now I'm not seeing the smurfs... looks like something I disabled was the culprit.

My network is rudimentary - 1 PC, 1 NAS, and a Squeezebox. I wasn't getting the smurfs when the PC was disconnected, so it was something on the PC.

I can now re-enable, one by one, stuff that will be useful, and see if the smurfs start up again.

I've downloaded HijackThis and got a log of the current PC state, so if they come back again, I can do a comparison.

Thanks for all the help and software suggestions, I'll let you know if the smurfs return and/or if I discover what was causing them ;-)

What a nice forum this is!

Rik · Mar 15, 2008, 12:08:18

We try - and some find us very trying.

Sebby · Mar 15, 2008, 12:14:50

Glad you like the forum! Let us know if the smurf returns.

Rik · Mar 15, 2008, 12:20:47

If he's singing that awful song, please don't tell us.

madasahatter · Mar 15, 2008, 12:23:50

I'll have you know I bought that Rik - absolutely loved it.

Rik · Mar 15, 2008, 12:28:27

It must be something to do with Hoobism.

dlorde · Mar 15, 2008, 17:05:30

Well I found the source of the smurf messages - it wasn't the PC after all, it's the NAS, a Synology Disk Station 106e. The messages stopped when it was disconnected - I've verified this a couple of times. Now I've disabled all the optional network services on the Disk Station, but it's still smurfing every 12 minutes. I can only guess that it's what it does.

I'll see what they say on the Synology forums...

Philip · Mar 15, 2008, 17:09:19

so what were the little blue men (that no one else can see) saying to you then,

you can tell me, I'm the Doctor

Rik · Mar 15, 2008, 17:12:02

Quote from: dlorde on Mar 15, 2008, 17:05:30
I'll see what they say on the Synology forums...

Let us know, will you. I'm intrigued now.

Sebby · Mar 15, 2008, 18:03:44

I wonder if it could be the router incorrectly identifying whatever the NAS is doing as a smurf attack.

Rik · Mar 15, 2008, 18:04:26

That's entirely possible, of course. Life is so complicated.

scook94 · Mar 16, 2008, 20:01:03

Quote from: Sebby on Mar 15, 2008, 18:03:44
I wonder if it could be the router incorrectly identifying whatever the NAS is doing as a smurf attack.

I used to get smurf attacks being reported by my old router, I can't however remember the cause, but it was definitely something innocuous being misreported...

dlorde · Mar 18, 2008, 13:11:28

Quote from: scook94 on Mar 16, 2008, 20:01:03
I used to get smurf attacks being reported by my old router, I can't however remember the cause, but it was definitely something innocuous being misreported...

I've had no response from the Synology forums, but I'm pretty sure it must be something innocuous - there's nothing but standard software on there, and the single messages are only appearing about every 12 mins.

Rik · Mar 18, 2008, 13:15:02

Such regularity suggests hardware rather than software to me.

dlorde · Mar 24, 2008, 20:16:21

It turned out to be an old SlimServer service still running, perhaps accessing SqueezeNetwork. When I deleted it and rebooted the Disk Station, the messages stopped

Lance · Mar 24, 2008, 22:33:36

Thats good! Thanks for letting up know!

Sebby · Mar 24, 2008, 22:45:29

Quote from: dlorde on Mar 24, 2008, 20:16:21
It turned out to be an old SlimServer service still running, perhaps accessing SqueezeNetwork. When I deleted it and rebooted the Disk Station, the messages stopped

Excellent.

dlorde · Mar 24, 2008, 23:11:33

Yes, given the low frequency and regularity of the messages, it was unlikely to be an ICMP attack, and given that the Disk Station was the source, it was likely to be something running on it...

Despite my telling them that the messages were outgoing, regular, relatively infrequent, and clearly originated from the DS106e (I posted an example and gave them the timings), the Synology forum eventually replied to say:

"Our engineers believe you are experiencing a ICMP Attack, and is not originating from the DS106e. Please look <here> for further information."

<here> was a link to the WikiPedia article on ICMP attacks... <sigh>.

To say I'm disappointed with Synology 'engineers' is an understatement. You guys did better than that with commonsense, in a fraction of the time

Rik · Mar 24, 2008, 23:50:14

Commonsense beats scripts any day.

Lance · Mar 25, 2008, 08:40:54

We try our best!

Mytheroo · Mar 28, 2008, 03:43:04

aint all that common thesedays though