UPDATE ... RE: [wplug] Need help...

Chris vze2f6h6 at verizon.net
Thu Apr 3 13:47:17 EST 2003


Well, figured it out ... mostly.

It seems that we had a Trojan (Remote Admin) that was being controlled
through IRC.

Thanks for all the help.

Chris Romano
Atlas Brokerage Company, L.P.
cromano at atlasbd.com
724.743.7900
ext 221

-----Original Message-----
From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On Behalf Of John
Harrold
Sent: Thursday, April 03, 2003 11:33 AM
To: wplug at wplug.org
Subject: Re: [wplug] Need help...

Sometime in April Chris assaulted the keyboard and produced:

| I am at work and I think that our network has been infected by a virus or
| some other malicious program.  I am a little unsure on where to start.
Here
| is some background.  We have 2 W2K Servers, 2 NT, 1 RH server, and about
20
| or so W2K desktops.  Here is the problem:  This morning and yesterday
| morning I came in and noticed that our Net connection was down.  I checked
| the firewall logs and had the following message: "3027 open connections,
new
| connects will be dropped".  It says that it was coming from 10.10.10.11
and
| going to 166.x.x.x  I forget the exact IP, but it was Eastman's website.
| (www.eastman.com <http://www.eastman.com/> ).  So I shutdown the
10.10.10.11
| server (our webserver), and rebooted the firewall.  It came back up and we
| had the same error.  So it has to be coming from another machine, right?
I
| did a netstat on the servers, and didn't see anything unusual.  So we just
| blocked the whole 166.x.x.x range.  After that there were about 3 entries
in
| the log that was blocking that port from that same 10.10.10.1 IP, and
after
| that no more.  This morning I came in and the same thing happened.  This
| time it was going to 144.116.184.208.  So I blocked that range, and
| everything is fine.  I ran a virus scan on all machines and nothing came
up.
| I know that the RH machine does/can have a lot of monitoring capabilities
on
| it.  How can I use that to help find what machine is causing this problem?
| Any pointers will be greatly appreciated.

i'm not familiar with FIRE, but i've used chkroot before
(www.chkrootkit.org). i would definitely check the linux machine first, but
that's is because i know squat about finding this stuff in windows.

you might try tcpdump to figure out which computers are going crazy, but
that will only work if you're not on a switched network. i think the only
way linux can monitor the traffic on a switched network is for the traffic
to go through the machine, in other words the linux machine would have to
be your gateway. the only thing i think you can do is port scan the
machines on your network:

 # nmap 10.10.10.1

i'm not sure how you fix a windows machine that's been cracked. i would
probably reinstall, but that is due more to my own ignorance.

-- 
---------------------------------------------------------------
john harrold               | "They that can give up essential  
     jmh at member.fsf.org |  liberty to obtain a little       
/"\                        |  temporary safety deserve neither 
\ / ASCII ribbon campaign  |  liberty nor safety."             
 X  against HTML mail      |                                  
/ \                        |  Benjamin Franklin
---------------------------------------------------------------
gpg --keyserver keys.indymedia.org --recv-key F65A739E
---------------------------------------------------------------
Jim Bakker spells his name with two k's because three 
would be too obvious.
--Bill Maher 




More information about the wplug mailing list