[wplug] Need help...
Chris
vze2f6h6 at verizon.net
Thu Apr 3 10:37:26 EST 2003
I found something.
I did another netstat on the machines and I found it. It was on one of our
NT 4.0 machines. I guess it was sleeping when I did it last time. This is
what I saw.
Proto Local Add Foreign Add State
TCP atlsv03:1929 SQLSERVER:6667 Established
TCP atlsv03:3298 27.suaa.sttl.sttlwane.dsl.att.net:6667
SYN_Sent
TCP atlsv03:3302 144.124.5.88:4899 Established
TCP atlsv03:3303 144.124.5.89:4899 Established
TCP atlsv03:3304 144.124.5.90:4899 Established
TCP atlsv03:3305 144.124.5.91:4899 Established
That continues until 144.124.5.126
We do not have MS SQL running on that machine, in fact, we do not have MS
SQL at all.
Chris Romano
Atlas Brokerage Company, L.P.
cromano at atlasbd.com
724.743.7900
ext 221
-----Original Message-----
From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On Behalf Of
Alexandros Papadopoulos
Sent: Thursday, April 03, 2003 9:42 AM
To: Chris
Cc: wplug at wplug.org
Subject: Re: [wplug] Need help...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 03 April 2003 08:53, Chris wrote:
> I am at work and I think that our network has been infected by a
> virus or some other malicious program. I am a little unsure on where
> to start. Here is some background. We have 2 W2K Servers, 2 NT, 1
> RH server, and about 20 or so W2K desktops.
What is each server doing? Which is the web server, which is the
firewall, what programs and versions are they running for their
critical functions?
> Here is the problem:
> This morning and yesterday morning I came in and noticed that our Net
> connection was down. I checked the firewall logs and had the
> following message:
On which machine? What kind of firewall is this? Version of software?
> "3027 open connections, new connects will be
> dropped". It says that it was coming from 10.10.10.11 and going to
> 166.x.x.x I forget the exact IP, but it was Eastman's website.
So the problem is that you had excessive OUTGOING traffic from your
network to the world.
> (www.eastman.com <http://www.eastman.com/> ). So I shutdown the
> 10.10.10.11 server (our webserver), and rebooted the firewall. It
Which is which? If the webserver is a W2K machine running IIS, well, uh,
sorry.
> came back up and we had the same error. So it has to be coming from
> another machine, right?
No, reboots don't fix anything.
> I did a netstat on the servers, and didn't
> see anything unusual.
So the server that was sending all this junk DID NOT report the
connections with a local netstat? Sounds bad. Try burning a known-good
copy of fport.exe from Foundstone and execute it *from the CD* of that
server. Still nothing?
> So we just blocked the whole 166.x.x.x range.
> After that there were about 3 entries in the log that was blocking
> that port from that same 10.10.10.1 IP, and after that no more. This
> morning I came in and the same thing happened. This time it was
> going to 144.116.184.208. So I blocked that range, and everything is
> fine. I ran a virus scan on all machines and nothing came up. I know
> that the RH machine does/can have a lot of monitoring capabilities on
> it.
Unless it's in a position that is able to monitor your entire network
(e.g. doing routing/NAT for your clients), I don't think so. If the
network is not switched and you just use hubs, you can leave a sniffer
running on the RH box and the next time you get strange traffic you can
analyze the packets and see if they contain any strings that seem to be
looking for M$ vulnerabilities.
Otherwise, you just have a haX0r3d NT box.
- -A
- --
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+jEhJgmAMwQt1gmURAuybAJ9t2a4J6ZTbCiLa+ioMw71tJs/EJwCeKF+g
XWIQeBo4sm25KLf10VNtl2g=
=8kes
-----END PGP SIGNATURE-----
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list