[wplug] Need help...

Bill bhalpin at collaborativefusion.com
Thu Apr 3 11:49:08 EST 2003 

If it is a win box, check out stuff on Foundstone's site.  They might
have something useful, they are primarily winsec geeks.

-b

On Thu, 2003-04-03 at 11:33, John Harrold wrote:
> Sometime in April Chris assaulted the keyboard and produced:
> 
> | I am at work and I think that our network has been infected by a virus or
> | some other malicious program.  I am a little unsure on where to start.  Here
> | is some background.  We have 2 W2K Servers, 2 NT, 1 RH server, and about 20
> | or so W2K desktops.  Here is the problem:  This morning and yesterday
> | morning I came in and noticed that our Net connection was down.  I checked
> | the firewall logs and had the following message: "3027 open connections, new
> | connects will be dropped".  It says that it was coming from 10.10.10.11 and
> | going to 166.x.x.x  I forget the exact IP, but it was Eastman's website.
> | (www.eastman.com <http://www.eastman.com/> ).  So I shutdown the 10.10.10.11
> | server (our webserver), and rebooted the firewall.  It came back up and we
> | had the same error.  So it has to be coming from another machine, right?  I
> | did a netstat on the servers, and didn't see anything unusual.  So we just
> | blocked the whole 166.x.x.x range.  After that there were about 3 entries in
> | the log that was blocking that port from that same 10.10.10.1 IP, and after
> | that no more.  This morning I came in and the same thing happened.  This
> | time it was going to 144.116.184.208.  So I blocked that range, and
> | everything is fine.  I ran a virus scan on all machines and nothing came up.
> | I know that the RH machine does/can have a lot of monitoring capabilities on
> | it.  How can I use that to help find what machine is causing this problem?
> | Any pointers will be greatly appreciated.
> 
> i'm not familiar with FIRE, but i've used chkroot before
> (www.chkrootkit.org). i would definitely check the linux machine first, but
> that's is because i know squat about finding this stuff in windows.
> 
> you might try tcpdump to figure out which computers are going crazy, but
> that will only work if you're not on a switched network. i think the only
> way linux can monitor the traffic on a switched network is for the traffic
> to go through the machine, in other words the linux machine would have to
> be your gateway. the only thing i think you can do is port scan the
> machines on your network:
> 
>  # nmap 10.10.10.1
> 
> i'm not sure how you fix a windows machine that's been cracked. i would
> probably reinstall, but that is due more to my own ignorance.
> 
> -- 
> ---------------------------------------------------------------
> john harrold               | "They that can give up essential  
>      jmh at member.fsf.org |  liberty to obtain a little       
> /"\                        |  temporary safety deserve neither 
> \ / ASCII ribbon campaign  |  liberty nor safety."             
>  X  against HTML mail      |                                  
> / \                        |  Benjamin Franklin
> ---------------------------------------------------------------
> gpg --keyserver keys.indymedia.org --recv-key F65A739E
> ---------------------------------------------------------------
> Jim Bakker spells his name with two k's because three 
> would be too obvious.
> --Bill Maher

More information about the wplug mailing list