During a client security investigation, we encountered suspicious traffic from a client-machine, to which we can not identify the source, if this is a Trojan, or some sort of worm. The client machine had for three days been sending excessive requests to port 80, to two different IP-addresses. Both targets are 'high- profile', well known international companies. Each target has received over 100 000 connection attempts per day (24 hours). We can't see if the requests were valid HTTP requests, or if the client just connected to port 80, and then dropped the connection - in some sort of DoS attempt to consume resources on the target. The firewall which logged the connections just lists successful attempts to connect to port 80 - but doesn't show packet content. Cisco PIX.... An interesting thing is that the source port in each request, would start at 1025, increase by one to 5000, and then start over with source port 1025. The client machine does have an irc client installed, and this is somewhat alarming. However, the Trend Micro anti-virus software does not detect the virus, with the leates available patternfile (per 2001- 09-10). Any possible clues or leads are appreciated. Regards, ~Mike PGP Fingerprint: 4B7F 8DCA 0C44 019E 1A2D C0E6 775B 12B1 DB47 5C12 ___________________________________ The information included in this e-mail is intended only for the person or entity to which it is addressed. Any use of this information by persons or entities other than the intended recipient is prohibited. If you receive this transmission in error, please delete this email and destroy any copies of it. Any opinions expressed in this email are those of the individual and not necessarily those of the company CCNOX. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 08:50:23 PDT