**Smurf** ?

[dlorde]

I'm seeing quote a few of these messages in the modem/router log, all identical:

03/13/2008  18:35:37 **Smurf** 208.255.255.255->> 208.69.32.130, Type:3, Code:3 (from ATM1 Outbound)

Any ideas?

[Rik]

Take a look at this:

http://en.wikipedia.org/wiki/Smurf_attack

[Philip]

run to the hills

[Rik]

 

[dlorde]

OK, so I'm being attacked... are there any steps I should take, other than standard AV & anti-spyware?

[Rik]

You should be safe, though the outbound troubles me a little. I'd certainly run a virus can and a couple of spyware sweeps if I were you.

[Philip]

done a quick google on 208.69.32.130 and it looks like it could be spyware

[Lance]

Certainly do a scan of the system to check for any nasties. 

[dlorde]

I schedule regular scans - nothing showing up on the scanners apart from the usual tracking cookies (using MS Defender, ZoneAlarm AV/Anti-spyware, AVG Anti-spyware).

[Dangerjunkie]

Hi,

I'd run Spybot Search and Destroy and Adaware (both available from http://www.download.com) too. That way you should have missed nothing.

If you're still worried I'd check all the programs that autostart using Autoruns and scan the machine with RootKitRevealer (both available at http://www.sysinternals.com )

Good luck,
Paul.

[Simon]

You should be safe, though the outbound troubles me a little. I'd certainly run a virus can and a couple of spyware sweeps if I were you.

Does a virus can require a tin opener? 

[Philip]

Does a virus can require a tin opener? 

yes, but make sure you wear gloves

[somanyholes]

Hey

Do you use opendns as your name servers?

Cheers

so

[kinmel]

run nanoscan online

and never forget HijackThis

[dlorde]

Do you use opendns as your name servers?

I tried it a while ago when I was having problems accessing some sites with Pipex, but when I set up IDNet I switched to the IDNet DNS addresses.

[dlorde]

Thanks for all the security software suggestions - I'm going to be spending the rest of the week scanning my machine!

[Mytheroo]

  What the smurf are you smurfing about, you gotta set it to be smurfable and enable backsmurf

(If i'm talking rubbish I blame a smurf dream I once had )

[somanyholes]

Hey

208.69.32.130 belongs to open dns. If you are definately not using opendns locally on your machines or on your router then it does look like you have unwanted code on your network. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

the app above will try to show you your tcp connections, look for any traffic going to 208.69.32.130 and see what ports it's using, it looks like it might be using nbt, which is used for file and printer sharing (445). The app may show you which application on your machine is trying to connect outbound.

Cheers

so

[Rik]

Nice thread, guys, thanks for all the input.

[dlorde]

208.69.32.130 belongs to open dns. If you are definately not using opendns locally on your machines or on your router then it does look like you have unwanted code on your network. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

the app above will try to show you your tcp connections, look for any traffic going to 208.69.32.130 and see what ports it's using, it looks like it might be using nbt, which is used for file and printer sharing (445). The app may show you which application on your machine is trying to connect outbound.

I've checked all the tcp connections - no sign of 208.69.32.130. I blocked the URL with ZoneAlarm firewall, I've run all the scanners, and removed all unnecessary startup programs and services, and I still see a **Smurf** message about every 12 minutes - it still happened when I booted up in safe mode with networking...

I dunno...

[Sebby]

As Alan suggested a few posts back, HiJackThis is a good tool. If you download that, run a scan, then post the log here, one of us will see if there's anything running that shouldn't be (I'm certainly familiar with HJT log files). It's usually quite a definitive way of knowing whether you have any malware.

[somanyholes]

Hey

Do you have more than one machine on your network (any laptops etc). If so the best way of sussing this out is to turn all but one off, keep checking for messages, then turn another one on with the rest off and see if you still get messages. This will help diagnose if it is one machine or another, or if it is nothing to do with any machines or your lan.

[somanyholes]

if there is just one machine on your lan, and you are getting these messages on your router still, turn your pc off for a while then back on again, and see if there are old log entries in rhe router during the period your machine was turned off.

[dlorde]

Interesting - I rebooted again this morning, and now I'm not seeing the smurfs... looks like something I disabled was the culprit.

My network is rudimentary - 1 PC, 1 NAS, and a Squeezebox. I wasn't getting the smurfs when the PC was disconnected, so it was something on the PC.

I can now re-enable, one by one, stuff that will be useful, and see if the smurfs start up again.

I've downloaded HijackThis and got a log of the current PC state, so if they come back again, I can do a comparison.

Thanks for all the help and software suggestions, I'll let you know if the smurfs return and/or if I discover what was causing them ;-)

What a nice forum this is! 

[Rik]

We try - and some find us very trying.