[wplug] Need help...

[Bill]

Chris

Sounds more likely that your box was rooted.  Make a copy of F.I.R.E.
(forensics tool CD) and run it on your machine.  I havent used FIRE yet
but I've heard good things.

-b

On Thu, 2003-04-03 at 08:53, Chris wrote:
> I am at work and I think that our network has been infected by a virus or
> some other malicious program.  I am a little unsure on where to start.  Here
> is some background.  We have 2 W2K Servers, 2 NT, 1 RH server, and about 20
> or so W2K desktops.  Here is the problem:  This morning and yesterday
> morning I came in and noticed that our Net connection was down.  I checked
> the firewall logs and had the following message: "3027 open connections, new
> connects will be dropped".  It says that it was coming from 10.10.10.11 and
> going to 166.x.x.x  I forget the exact IP, but it was Eastman's website.
> (www.eastman.com <http://www.eastman.com/> ).  So I shutdown the 10.10.10.11
> server (our webserver), and rebooted the firewall.  It came back up and we
> had the same error.  So it has to be coming from another machine, right?  I
> did a netstat on the servers, and didn't see anything unusual.  So we just
> blocked the whole 166.x.x.x range.  After that there were about 3 entries in
> the log that was blocking that port from that same 10.10.10.1 IP, and after
> that no more.  This morning I came in and the same thing happened.  This
> time it was going to 144.116.184.208.  So I blocked that range, and
> everything is fine.  I ran a virus scan on all machines and nothing came up.
> I know that the RH machine does/can have a lot of monitoring capabilities on
> it.  How can I use that to help find what machine is causing this problem?
> Any pointers will be greatly appreciated.
> 
>  
> 
> Thank you
> 
>  
> 
> Chris Romano
> 
>  
>