[wplug] Need help...

Thu Apr 3 09:42:11 EST 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 03 April 2003 08:53, Chris wrote:
> I am at work and I think that our network has been infected by a
> virus or some other malicious program.  I am a little unsure on where
> to start.  Here is some background.  We have 2 W2K Servers, 2 NT, 1
> RH server, and about 20 or so W2K desktops.

What is each server doing? Which is the web server, which is the 
firewall, what programs and versions are they running for their 
critical functions?

>  Here is the problem: 
> This morning and yesterday morning I came in and noticed that our Net
> connection was down.  I checked the firewall logs and had the
> following message:

On which machine? What kind of firewall is this? Version of software?

> "3027 open connections, new connects will be
> dropped".  It says that it was coming from 10.10.10.11 and going to
> 166.x.x.x  I forget the exact IP, but it was Eastman's website.

So the problem is that you had excessive OUTGOING traffic from your 
network to the world.

> (www.eastman.com <http://www.eastman.com/> ).  So I shutdown the
> 10.10.10.11 server (our webserver), and rebooted the firewall.  It

Which is which? If the webserver is a W2K machine running IIS, well, uh, 
sorry.

> came back up and we had the same error.  So it has to be coming from
> another machine, right?

No, reboots don't fix anything.

>  I did a netstat on the servers, and didn't
> see anything unusual.

So the server that was sending all this junk DID NOT report the 
connections with a local netstat? Sounds bad. Try burning a known-good 
copy of fport.exe from Foundstone and execute it *from the CD* of that 
server. Still nothing?

>  So we just blocked the whole 166.x.x.x range. 
> After that there were about 3 entries in the log that was blocking
> that port from that same 10.10.10.1 IP, and after that no more.  This
> morning I came in and the same thing happened.  This time it was
> going to 144.116.184.208.  So I blocked that range, and everything is
> fine.  I ran a virus scan on all machines and nothing came up. I know
> that the RH machine does/can have a lot of monitoring capabilities on
> it.

Unless it's in a position that is able to monitor your entire network 
(e.g. doing routing/NAT for your clients), I don't think so. If the 
network is not switched and you just use hubs, you can leave a sniffer 
running on the RH box and the next time you get strange traffic you can 
analyze the packets and see if they contain any strings that seem to be 
looking for M$ vulnerabilities.

Otherwise, you just have a haX0r3d NT box.

- -A
- -- 
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F  D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+jEhJgmAMwQt1gmURAuybAJ9t2a4J6ZTbCiLa+ioMw71tJs/EJwCeKF+g
XWIQeBo4sm25KLf10VNtl2g=
=8kes
-----END PGP SIGNATURE-----