Ethereal-users: Re: [Ethereal-users] Possible Sasser Worm?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 04 Jan 2005 12:15:49 -0800
Pasquazzi, David wrote:
I am new to Ethereal and was performing a packet capture and noticed something odd. Does anyone have an idea of what this could be? Is this what I think it is? This is a single packet export to a text file. No. Time Source Destination Protocol Info 3 22:21:33.422151 192.168.0.1 192.168.0.5 Syslog LOCAL1.NOTICE: Sasser: IP[Src=192.168.0.5 D... Frame 3 (127 bytes on wire, 127 bytes captured) 
Ethernet II, Src: 00:30:ab:05:05:9a, Dst: 00:04:ac:da:6c:6c
Internet Protocol, Src Addr: 192.168.0.1 (192.168.0.1), Dst Addr: 192.168.0.5 (192.168.0.5) 
User Datagram Protocol, Src Port: 4096 (4096), Dst Port: syslog (514)
Syslog message: LOCAL1.NOTICE: Sasser: IP[Src=192.168.0.5 D...
    1000 1... = Facility: LOCAL1 - reserved for local use (17)
    .... .101 = Level: NOTICE - normal but significant condition (5)
Message: Sasser: IP[Src=192.168.0.5 Dst=204.1.226.230 TCP spo=01164 dpo=00080]}S01>R01nN
That packet is a message for the "syslog" protocol, a protocol that showed up with the "syslog" daemon on BSD UNIX; it's used to allow a process on one machine to log a message to a system log file on another machine.
The "Message:" port is the text of the message; I don't know what process is logging that message, but it might be some intrusion detection facility, running on some machine, that's seen a packet that it thinks is a Sasser worm packet.
(I.e., Ethereal isn't reporting that it's seeing traffic it thinks is Sasser worm traffic, it's reporting a packet that happens to be from a machine that appears to be trying to report that *it's* seeing traffic that it thinks is Sasser worm traffic.)
I assume that "IP[SRC=192.168.0.5 DST=204.1.226.230 TCP spo=01164 dpo=00080]" means that the packet is coming from 192.168.0.5 port 1164 and is going to 204.1.226.230 port 80.
The Syslog packet is coming from host 192.168.0.1; as you indicate, that's your router, so perhaps the router has software that watches for various malware traffic and sends syslog messages to a specified host if it detects any.
If so, 192.168.0.5 is probably not the best host - I don't know whether there exist any syslog servers for Windows, but, even if there are (people might have ported the syslog daemon, although, if they have, as syslog isn't the native Windows mechanism for logging messages, I don't know whether they'd log to the native Windows event logging mechanism or log to text files as the UNIX one does), they don't, as far as I know, come standard with Windows, so those packets *might* just be ignored by the Windows machine 192.168.0.5, rather than getting logged somewhere that an administrator can see them.
I can't say whether the fact that the router appears to be logging a message claiming that a Sasser worm packet is coming from 192.168.0.5 and going to 204.1.226.230's HTTP port means that 192.168.0.5 *is* infected with the Sasser worm, but it's probably something you should check.