All: I have several machines that are using excessive bandwidth. Upon inspection, I find multiple connections to servers with names like irc.badguuy.com, etc... On 6667. Incoming connections are random although 1067 seems to be a common one. I have 4 instances of cmd.exe running and 2 of win.exe While it looks like Egghead, the reg entries aren't there nor the directories/files. These machines all had an account ID of Microsoft with admin privs on them. They don't connect to a domain and were setup by the department "tech" person who left them wide open. What is confusing to me is that one of them uses our Exchange server which is protected by Antigen (and I pull nearly every extension known to man) and McAffee on the desktop. I can't find anything that matches this. Anyone have any insight? Thanks J ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 14:47:53 PDT