[wplug] Need help...
John Harrold
jmh17 at pitt.edu
Thu Apr 3 11:33:29 EST 2003
Sometime in April Chris assaulted the keyboard and produced:
| I am at work and I think that our network has been infected by a virus or
| some other malicious program. I am a little unsure on where to start. Here
| is some background. We have 2 W2K Servers, 2 NT, 1 RH server, and about 20
| or so W2K desktops. Here is the problem: This morning and yesterday
| morning I came in and noticed that our Net connection was down. I checked
| the firewall logs and had the following message: "3027 open connections, new
| connects will be dropped". It says that it was coming from 10.10.10.11 and
| going to 166.x.x.x I forget the exact IP, but it was Eastman's website.
| (www.eastman.com <http://www.eastman.com/> ). So I shutdown the 10.10.10.11
| server (our webserver), and rebooted the firewall. It came back up and we
| had the same error. So it has to be coming from another machine, right? I
| did a netstat on the servers, and didn't see anything unusual. So we just
| blocked the whole 166.x.x.x range. After that there were about 3 entries in
| the log that was blocking that port from that same 10.10.10.1 IP, and after
| that no more. This morning I came in and the same thing happened. This
| time it was going to 144.116.184.208. So I blocked that range, and
| everything is fine. I ran a virus scan on all machines and nothing came up.
| I know that the RH machine does/can have a lot of monitoring capabilities on
| it. How can I use that to help find what machine is causing this problem?
| Any pointers will be greatly appreciated.
i'm not familiar with FIRE, but i've used chkroot before
(www.chkrootkit.org). i would definitely check the linux machine first, but
that's is because i know squat about finding this stuff in windows.
you might try tcpdump to figure out which computers are going crazy, but
that will only work if you're not on a switched network. i think the only
way linux can monitor the traffic on a switched network is for the traffic
to go through the machine, in other words the linux machine would have to
be your gateway. the only thing i think you can do is port scan the
machines on your network:
# nmap 10.10.10.1
i'm not sure how you fix a windows machine that's been cracked. i would
probably reinstall, but that is due more to my own ignorance.
--
---------------------------------------------------------------
john harrold | "They that can give up essential
jmh at member.fsf.org | liberty to obtain a little
/"\ | temporary safety deserve neither
\ / ASCII ribbon campaign | liberty nor safety."
X against HTML mail |
/ \ | Benjamin Franklin
---------------------------------------------------------------
gpg --keyserver keys.indymedia.org --recv-key F65A739E
---------------------------------------------------------------
Jim Bakker spells his name with two k's because three
would be too obvious.
--Bill Maher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://penguin.wplug.org/pipermail/wplug/attachments/20030403/23ebaf2a/attachment-0001.bin
More information about the wplug
mailing list