[wplug] Need help...

Chris vze2f6h6 at verizon.net
Thu Apr 3 10:37:26 EST 2003


I found something.

I did another netstat on the machines and I found it.  It was on one of our
NT 4.0 machines. I guess it was sleeping when I did it last time.  This is
what I saw.

Proto   Local Add              Foreign Add             State
TCP     atlsv03:1929         SQLSERVER:6667            Established
TCP     atlsv03:3298         27.suaa.sttl.sttlwane.dsl.att.net:6667
SYN_Sent
TCP     atlsv03:3302         144.124.5.88:4899         Established
TCP     atlsv03:3303         144.124.5.89:4899         Established
TCP     atlsv03:3304         144.124.5.90:4899         Established
TCP     atlsv03:3305         144.124.5.91:4899         Established

That continues until         144.124.5.126

We do not have MS SQL running on that machine, in fact, we do not have MS
SQL at all.


Chris Romano
Atlas Brokerage Company, L.P.
cromano at atlasbd.com
724.743.7900
ext 221

-----Original Message-----
From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On Behalf Of
Alexandros Papadopoulos
Sent: Thursday, April 03, 2003 9:42 AM
To: Chris
Cc: wplug at wplug.org
Subject: Re: [wplug] Need help...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 03 April 2003 08:53, Chris wrote:
> I am at work and I think that our network has been infected by a
> virus or some other malicious program.  I am a little unsure on where
> to start.  Here is some background.  We have 2 W2K Servers, 2 NT, 1
> RH server, and about 20 or so W2K desktops.

What is each server doing? Which is the web server, which is the 
firewall, what programs and versions are they running for their 
critical functions?

>  Here is the problem: 
> This morning and yesterday morning I came in and noticed that our Net
> connection was down.  I checked the firewall logs and had the
> following message:

On which machine? What kind of firewall is this? Version of software?

> "3027 open connections, new connects will be
> dropped".  It says that it was coming from 10.10.10.11 and going to
> 166.x.x.x  I forget the exact IP, but it was Eastman's website.

So the problem is that you had excessive OUTGOING traffic from your 
network to the world.

> (www.eastman.com <http://www.eastman.com/> ).  So I shutdown the
> 10.10.10.11 server (our webserver), and rebooted the firewall.  It

Which is which? If the webserver is a W2K machine running IIS, well, uh, 
sorry.

> came back up and we had the same error.  So it has to be coming from
> another machine, right?

No, reboots don't fix anything.

>  I did a netstat on the servers, and didn't
> see anything unusual.

So the server that was sending all this junk DID NOT report the 
connections with a local netstat? Sounds bad. Try burning a known-good 
copy of fport.exe from Foundstone and execute it *from the CD* of that 
server. Still nothing?

>  So we just blocked the whole 166.x.x.x range. 
> After that there were about 3 entries in the log that was blocking
> that port from that same 10.10.10.1 IP, and after that no more.  This
> morning I came in and the same thing happened.  This time it was
> going to 144.116.184.208.  So I blocked that range, and everything is
> fine.  I ran a virus scan on all machines and nothing came up. I know
> that the RH machine does/can have a lot of monitoring capabilities on
> it.

Unless it's in a position that is able to monitor your entire network 
(e.g. doing routing/NAT for your clients), I don't think so. If the 
network is not switched and you just use hubs, you can leave a sniffer 
running on the RH box and the next time you get strange traffic you can 
analyze the packets and see if they contain any strings that seem to be 
looking for M$ vulnerabilities.

Otherwise, you just have a haX0r3d NT box.

- -A
- -- 
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F  D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+jEhJgmAMwQt1gmURAuybAJ9t2a4J6ZTbCiLa+ioMw71tJs/EJwCeKF+g
XWIQeBo4sm25KLf10VNtl2g=
=8kes
-----END PGP SIGNATURE-----

_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug




More information about the wplug mailing list