[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question from a newbie regarding possible trojan

Before trying to figure out if your system is infected and looking for trojans and worms, look closer at the data.  Two of the systems connected to are POP3 mail servers.  Probably one for your ISP and one for your school/work place.

The rest are web servers and most are associated with Microsoft, some for web browsing and others for downloads (Microsoft Updates).  Where you browsing late at night?  Did you have a mail client running that was configured to periodically check you POP servers?

PORT 110 -- POP3 Mail Servers
-----------------------------	mail.nb.shawcable.net	rm-rstar.sfu.ca (Simon Frasier University - in Canada)

PORT 80 -- HTTP Web Servers
---------------------------	??? (microsoft.com)	www.international.microsoft.com	msdownload.microsoft.com	msdownload.microsoft.com	c.msn.com	Digital Guardian (security company in NJ)

Have you defined HOME_NET in snort.conf to your IP address so that snort knows what traffic is from your machine/net versus to your machine/net?

Dave Goldsmith

On Tue, 17 Sep 2002 00:36:13 -0700
Adrian Gheorghe <adrianghe@shaw.ca> wrote:

> I have tracked a weird activity on my external interface lately (few days)
> I used "snort", and the portscan.log file shows the following activity:
> #tail portscan.log
> Sep 17 00:21:41 <my ip>:1489 -> SYN ******S*
> Sep 17 00:21:42 <my ip>:1501 -> SYN ******S*
> Sep 17 00:21:58 <my ip>:1502 -> SYN ******S*
> Sep 17 00:21:58 <my ip>:1503 -> SYN ******S*
> Sep 17 00:21:58 <my ip>:1504 -> SYN ******S*
> Sep 17 00:22:22 <my ip>:1505 -> SYN ******S*
> Sep 17 00:24:21 <my ip>:1507 -> SYN ******S*
> Sep 17 00:24:24 <my ip>:1511 -> SYN ******S*
> Sep 17 00:25:49 <my ip>:1514 -> SYN ******S*
> Sep 17 00:25:55 <my ip>:1516 -> SYN ******S*
> I checked what processes are running on my machine, and there is nothing
> that I think might be suspicious.
> (I run bind9 on my internal interface, which has been configured to have no
> access to the outside world)

Reply to: