Over the last few weeks, we have noticed that our Orion server has been trying to talk to something at 95.141.29.22 on port 137. Whois.arin.net shows this address to belong to the RIPE NCC Operations - the EU version of internic, i think. We have a EPS (an IPS that sits INSIDE the network watching outbound traffic) that shows this as: EPS: known bot c&c server communication udp (group 216) ( 1 ) DateSource NetworkDestination07/07/2011 17:45:5610.223.4.10095.141.29.22 I have 2 questions - 1. Has anyone seen anything like this before? and 2. WHY would Orion try to talk there? We have scanned the server many times with Malwarebytes and cant find any hit of a issue. Open to any and all suggestions! Anyone headed to Cisco Live this year?

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

interesting network traffic from my Orion server

Over the last few weeks, we have noticed that our Orion server has been trying to talk to something at 95.141.29.22 on port 137. Whois.arin.net shows this address to belong to the RIPE NCC Operations - the EU version of internic, i think. We have a EPS (an IPS that sits INSIDE the network watching outbound traffic) that shows this as:

EPS: known bot c&c server communication udp (group 216) ( 1 )
	Date	Source Network	Destination

	07/07/2011 17:45:56	10.223.4.100	95.141.29.22

I have 2 questions -

1. Has anyone seen anything like this before?

and

2. WHY would Orion try to talk there?

We have scanned the server many times with Malwarebytes and cant find any hit of a issue. Open to any and all suggestions!

Anyone headed to Cisco Live this year?

Find more posts tagged with

Accepted answers

All comments

FormerMember

RIPE is the RIR for that netblock, but it's assigned to:

% Information related to '95.141.29.0/24AS33926'
route: 95.141.29.0/24
descr: EuroTransit GmbH
origin: AS33926
mnt-by: EUROTRANSIT-MNT
source: RIPE # Filtered

That IP appears to be a German UnderNet IRC server - Hamburg.DE.EU.undernet.org (sponsored by EuroTransit, hence their netblock).

If you're seeing traffic going there I would be cautious - lots of botnets use IRC for their command infrastructure. Then again, IRC uses ports 6660-6670 and 7000, not 137.

Andy.

netlogix

isn't 137 a name resolution protocol? Could something be trying to resolve the ip to a name?

dclick

thanks. I have ran a couple of scans using Malwarebytes and Superantispyware, and didnt really find anything.

very odd though.