Re: question from a newbie regarding possible trojan

To: debian-security@lists.debian.org
Subject: Re: question from a newbie regarding possible trojan
From: David Goldsmith <dgoldsmith@sans.org>
Date: Wed, 18 Sep 2002 09:37:27 -0400
Message-id: <[🔎] 20020918093727.16f6f75d.dgoldsmith@sans.org>
In-reply-to: <[🔎] MFEEKFFDNFBDMGHGIEADMEPCCAAA.adrianghe@shaw.ca>
References: <[🔎] 20020914185756.GA31379@zionlth.org> <[🔎] MFEEKFFDNFBDMGHGIEADMEPCCAAA.adrianghe@shaw.ca>

Before trying to figure out if your system is infected and looking for trojans and worms, look closer at the data.  Two of the systems connected to are POP3 mail servers.  Probably one for your ISP and one for your school/work place.

The rest are web servers and most are associated with Microsoft, some for web browsing and others for downloads (Microsoft Updates).  Where you browsing late at night?  Did you have a mail client running that was configured to periodically check you POP servers?

PORT 110 -- POP3 Mail Servers
-----------------------------
24.71.223.43	mail.nb.shawcable.net
142.58.120.21	rm-rstar.sfu.ca (Simon Frasier University - in Canada)

PORT 80 -- HTTP Web Servers
---------------------------
207.46.196.102	??? (microsoft.com)
207.46.197.113	www.international.microsoft.com
207.46.235.150	msdownload.microsoft.com
207.46.235.162	msdownload.microsoft.com
207.68.184.62	c.msn.com
209.11.107.14	Digital Guardian (security company in NJ)

Have you defined HOME_NET in snort.conf to your IP address so that snort knows what traffic is from your machine/net versus to your machine/net?

Dave Goldsmith



On Tue, 17 Sep 2002 00:36:13 -0700
Adrian Gheorghe <adrianghe@shaw.ca> wrote:

> I have tracked a weird activity on my external interface lately (few days)
> I used "snort", and the portscan.log file shows the following activity:
> 
> #tail portscan.log
> 
> Sep 17 00:21:41 <my ip>:1489 -> 207.46.197.113:80 SYN ******S*
> Sep 17 00:21:42 <my ip>:1501 -> 207.46.197.113:80 SYN ******S*
> Sep 17 00:21:58 <my ip>:1502 -> 207.46.196.102:80 SYN ******S*
> Sep 17 00:21:58 <my ip>:1503 -> 207.46.196.102:80 SYN ******S*
> Sep 17 00:21:58 <my ip>:1504 -> 207.68.184.62:80 SYN ******S*
> Sep 17 00:22:22 <my ip>:1505 -> 207.46.235.162:80 SYN ******S*
> Sep 17 00:24:21 <my ip>:1507 -> 24.71.223.43:110 SYN ******S*
> Sep 17 00:24:24 <my ip>:1511 -> 142.58.120.21:110 SYN ******S*
> Sep 17 00:25:49 <my ip>:1514 -> 207.46.235.150:80 SYN ******S*
> Sep 17 00:25:55 <my ip>:1516 -> 209.11.107.14:80 SYN ******S*
> 
> I checked what processes are running on my machine, and there is nothing
> that I think might be suspicious.
> (I run bind9 on my internal interface, which has been configured to have no
> access to the outside world)

Reply to:

References:
- bugtraq.c httpd apache ssl attack
  - From: Phillip Hofmeister <plhofmei@zionlth.org>
- question from a newbie regarding possible trojan
  - From: Adrian Gheorghe <adrianghe@shaw.ca>

Prev by Date: Re: ot? apache directory listing mysteries
Next by Date: differences between iptstate and netstat
Previous by thread: Re: question from a newbie regarding possible trojan
Next by thread: OpenSSL and Potato a request for clarificiation
Index(es):
- Date
- Thread