There's a blurb on the SANS handler's diary about a report of packets leaving a freshly built Check Point firewall. I wonder if this will turn out to be a hoax. There were rumors long ago that the NSA found an IP address in Check Point code, presumably an artifact of unremoved debug code. If this new report turns out verifiable, I wonder how much truth those past rumors may have had after all. Surreptitious phone home, faulty debugging, or hoax? ... Published: 2006-02-10, Last Updated: 2006-02-10 22:24:05 UTC by Lorna Hutcheson (Version: 1) One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 . Here is what he observed in his own words: "This file is from a freshly installed Checkpoint Firewall 1 VPN gateway. This machine was off-line until installation was completed and policy pushed. Once the service starts and the first login attempt is completed the interface of the machine starts blasting the captured information to two targeted destination IP's.....Installation is from a Checkpoint supplied CD." I did ask about the base OS being a fresh install and here are his comments as well: "Yes. In fact I've built the server twice from scratch using only the checkpoint supplied CD which includes the OS and Firewall. Ie: SecurePlatform. The outcome was the same both times" Here is a short synopsis of the traffic being observed: There are 4 UDP packets being sent to one IP address then switching to the other and sending 4 more. This repeats itself over and over. The one IP 48.28.223.239 doesn't appear to have anything assigned to it but belongs to Prudential Securities Inc. The other IP 152.96.109.99 belongs to: descr: HSR Hochschule fuer Technik Rapperswil descr: Rapperswil, Switzerland Dst Port is 57327/UDP Src port is 32768 If you would like to see two example packets, you can view them here: http://isc.sans.org/diaryimages/packets for checkpoint.txt The issue went away with new CDs being obtained from the vendor. This is the only report we received about this so far. If you have observed similar traffic or have any ideas, please let us know. |