Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 5016 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port 10101 --> Symantec

SalishSwede
I noticed a great deal of entries in my IPS log.

They all look like this: 
2011:12:28-15:50:29 wahine ulogd[5994]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="4:c:ce[:D]c:50:82" dstmac="0:c:29:67:ac:84" srcip="10.1.2.3"[my mac client]  dstip="198.153.192.3" proto="17" length="237" tos="0x00" prec="0x00" ttl="64" srcport="55439" dstport="10101" 

Note the destination port: 10101 
This is the same port that Astaro used for it's "cloud based" log management.
Destination ip:  198.153.192.3 [details below]


The destination IP address is for the following: 
   NetRange: 198.153.190.0 - 198.153.196.255
   CIDR:198.153.190.0/23, 198.153.196.0/24, 198.153.192.0/22
   NetType: Direct Assignment
   OrgName:Symantec Corporation
   Address:20330 Stevens Creek Blvd
   City:Cupertino
   StateProv:CA
   OrgAbuseName:Symantec IP Administrator
   OrgAbusePhone:+1-650-527-8000
   OrgAbuseEmail[:D]l-it-ip-admin@symantec.com

I have no Symantec products installed on my machine.

Question:  Is there any official relationship between Astaro and Symantec that might explain this traffic?

Can any one assist in identifying this traffic?

Thanks,

Dougga


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson
    That's interesting.
    I plug the ip address into the tool you reference, and I get the same Symantec reference.
    Perhaps I'm misinterpreting this.
    The individual ip address has no record but it's found on a network which is directly registered to Symantec.

    Network Whois record

    Queried whois.arin.net with "n 198.153.192.3"...

    NetRange:       198.153.190.0 - 198.153.196.255
    CIDR:           198.153.196.0/24, 198.153.192.0/22, 198.153.190.0/23
    OriginAS:       
    NetName:        NETBLK-OPENVISION
    NetHandle:      NET-198-153-190-0-1
    Parent:         NET-198-0-0-0-0
    NetType:        Direct Assignment
    RegDate:        1993-08-11
    Updated:        2009-03-26
    Ref:            http://whois.arin.net/rest/net/NET-198-153-190-0-1

    OrgName:        Symantec Corporation
    OrgId:          SYMN-Z
    Address:        20330 Stevens Creek Blvd
    City:           Cupertino
    StateProv:      CA
    PostalCode:     95014
    Country:        US
    RegDate:        2008-08-01
    Updated:        2008-10-21
    Ref:            http://whois.arin.net/rest/org/SYMN-Z

    OrgNOCHandle: SIA9-ARIN
    OrgNOCName:   Symantec IP Administrator
    OrgNOCPhone:  +1-650-527-8000 
    OrgNOCEmail:  dl-it-ip-admin@symantec.com
    OrgNOCRef:    http://whois.arin.net/rest/poc/SIA9-ARIN

    OrgTechHandle: SIA9-ARIN
    OrgTechName:   Symantec IP Administrator
    OrgTechPhone:  +1-650-527-8000 
    OrgTechEmail:  dl-it-ip-admin@symantec.com
    OrgTechRef:    http://whois.arin.net/rest/poc/SIA9-ARIN

    OrgAbuseHandle: SIA9-ARIN
    OrgAbuseName:   Symantec IP Administrator
    OrgAbusePhone:  +1-650-527-8000 
    OrgAbuseEmail:  dl-it-ip-admin@symantec.com
    OrgAbuseRef:    http://whois.arin.net/rest/poc/SIA9-ARIN

    RAbuseHandle: SIA9-ARIN
    RAbuseName:   Symantec IP Administrator
    RAbusePhone:  +1-650-527-8000 
    RAbuseEmail:  dl-it-ip-admin@symantec.com
    RAbuseRef:    http://whois.arin.net/rest/poc/SIA9-ARIN

    RTechHandle: SIA9-ARIN
    RTechName:   Symantec IP Administrator
    RTechPhone:  +1-650-527-8000 
    RTechEmail:  dl-it-ip-admin@symantec.com
    RTechRef:    http://whois.arin.net/rest/poc/SIA9-ARIN

    RNOCHandle: SIA9-ARIN
    RNOCName:   Symantec IP Administrator
    RNOCPhone:  +1-650-527-8000 
    RNOCEmail:  dl-it-ip-admin@symantec.com
    RNOCRef:    http://whois.arin.net/rest/poc/SIA9-ARIN
  • 0 in reply to BAlfson
    So I'm opening up this issue again on my side.  I'm getting NTP flood going to this address now.
    Clues:
    1) I believe this is a Symantec site even using the tool Bob mentioned above.
    2) Browsing to the address brings up something associated with Norton DNS [a Symantec trademark]
    3) Checking my Astaro DNS configuration I see that I added Symantec public DNS server!!
         The IP addresses I have entered are: 198.153.192.1  & 198.153.194.1  

    Thoughts:
    1) Given the destination port is the same as originally configured for the now defunct Log Management Service, I believe there is code left on the Astaro service that is leaking this information somehow.  Transmitting logs from all configured internal machines to an unauthorized external corporation would be a massive breach of trust and I suspect law.
    2) There may be some relationship between Astaro configured DNS forwarders and the Log Management Service. [this seems far fetched but it's the only link to Symantec I can think of]

    This is extremely troubling.

    Has anyone else configured Log Management and then seen that it vanished during an update?
    It would be very helpful to see how such machines are currently behaving.
    Are they sending the logs from all machines outbound?