Mike, I'd like to give you a couple of things to consider: 1. Did you perform a packet capture on the network? 2. Did you dump the process list from the machine during this activity? 3. What is the os of the target system (this would help myself and others recommend tools)? 4. Did you check the contents of the Run, RunServices, RunOnce Registry keys (if the target system is a MS platform)? How about startup directories for the currently logged on user? Or, if the system is Win98, the system.ini and win.ini files? > During a client security investigation, we > encountered suspicious > traffic from a client-machine, to which we can not > identify the source, > if this is a Trojan, or some sort of worm. Again, what is the process list from the machine? For tools to use on NT/2K platforms, check out: http://www.securityfocus.com/focus/microsoft/2k/forensictools.html > The client machine had for three days been sending > excessive requests > to port 80, to two different IP-addresses. Both > targets are 'high- > profile', well known international companies. Each > target has received > over 100 000 connection attempts per day (24 hours). > > We can't see if the requests were valid HTTP > requests, or if the client > just connected to port 80, and then dropped the > connection Did you use a sniffer on the same segment? Tcpdump from Linux, Windump for Win32, snort for both? > An interesting thing is that the source port in each > request, would > start at 1025, increase by one to 5000, and then > start over with source > port 1025. That should be fairly normal activity, actually. I'm not sure about rolling over specifically at 5000, but starting at a high port (ie, above 1024) is normal. > The client machine does have an irc client > installed, and this is > somewhat alarming. How so? It might have served as the infection vector, but I don't necessarily see how the presence of just an irc client is "alarming". > However, the Trend Micro > anti-virus software does > not detect the virus, with the leates available > patternfile (per 2001- > 09-10). Maybe it's not a trojan at all. With more info, I could help you more specifically. Please feel free to contact me at "keydet89at_private". I also teach a 2-day Incident Response Course for NT/2K admins. Carv __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 10:23:31 PDT