[wplug] Strange IP Traffic

Ken ken at ramblernet.com
Sun Aug 22 17:22:50 EDT 2004 

Follow-up: (SUCCESS)
 
I thought I'd post my results in the event someone else runs across this
issue.
 
To summarize, I had a W2K box on my network that began to use network
resources when I knew nothing should have been active. My initial
tip-off was the network icon in the system tray was active. Using the
Linux server (RH 9.0) I used ethereal to snoop the traffic and see what
IP addresses were being accessed. A few private addresses and some of
Microsoft's were being accessed over port 80.
 
I used several different anti-trojan and virus scanners to locate the
intruder. None of these located anything out of the ordinary. If it
hadn't been for packet snooping I might have waited to see if this
resolved itself.
 
After several hours of investigation I learned the following executables
were installed by active x installer.
 
c:\windows\services.exe
c:\windows\system32\mssyncr.exe
 
These were the infections responsible for the network traffic. Removing
these two files and also registry keys with reference to mssyncr.exe
eliminated the unwanted culprit. These are not OS related files (W2K).
 
Once again Linux came to the rescue!
 

-----Original Message-----
From: wplug-bounces+wplug=ramblernet.com at wplug.org
[mailto:wplug-bounces+wplug=ramblernet.com at wplug.org] On Behalf Of Ken
Sent: Friday, August 20, 2004 2:00 PM
To: 'General user list'
Subject: RE: [wplug] Strange IP Traffic


I inadvertently listed the IP incorrectly, my apologies.
It should have been 69.25.27.171 and I noticed 69.25.27.172 as well.
 
The traffic is coming from services.exe on the windows box. If I
restrict it's ability to access the net, traffic stops.
 
I have also adjusted my WPLUG email address since it was distracting to
some. The account of wplug at ramblernet.com has been replaced by
ken at ramblernet.com. Messages sent to the previous will bounce.
 
Thanks - Ken

-----Original Message-----
From: wplug-bounces+wplug=ramblernet.com at wplug.org
[mailto:wplug-bounces+wplug=ramblernet.com at wplug.org] On Behalf Of Ryan
Brown
Sent: Friday, August 20, 2004 10:42 AM
To: 'General user list'
Subject: RE: [wplug] Strange IP Traffic



Canonical: dialup-67.25.27.171.Dial1.Miami1.Level3.net Numerical:
67.25.27.171

 

Are you by chance talking to someone in Miami on an instant messenger
client?

 


  _____  


From:  Ken 
Sent: Friday, August 20, 2004 10:08 AM
To: wplug at wplug.org
Subject: [wplug] Strange IP Traffic

 

I've noticed some strange IP traffic from one of my W2K systems across
the firewall. 
It appears that packets are going from my Windows box to IP 67.25.27.171
on incremental TCP ports (reporting open ports?). I've used the various
virus & Trojan scans that report nothing. I'm not positive but it looks
like services.exe may be sending the data or being used by another app.

Has anyone seen this before? 

Thanks 
Ken 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.RamblerNet.com/> RamblerNet.com, and
is 
believed to be clean. 


-- 
This message has been scanned for viruses and
dangerous content by Ramblernet's MailScanner,
 and is believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://penguin.wplug.org/pipermail/wplug/attachments/20040822/ad5d7373/attachment-0001.html

More information about the wplug mailing list