Re: POSSIBLE WORM / DDOS Sorry for the delayed response. I have concluded that this activity is caused by another Microsoft misfeature. (Weather it is a virus or not, XP is caching previously accessed url/unc somewhere, leaving these hosts/shares potential victims for a virus/worm) Findings: Upon access to certain local directories of the "hot" machine (E:\, E:\download\ ). Windows (XP Pro), causes orderly probing to previously accessed ftp url & unc's. (This explains the many samba queries after the FTP attempts) The following caused the network activity: Start/ Run / E:\ <cr> Start/ Run / E:\download <cr> I searched through the local registry for the targeted IP's & sharenames (also search for possible aliases) but was unable to find anything. I deleted the temporary internet cache, history, etc. Rebooted. Machine still caused same network activity. Reapplying generic-folder-options to the directories that were "triggering" this activity seemed to fix the problem. I wonder where Microsoft is storing this information? Those directories did not have any abnormal/hidden files. Odd. Someone mentioned this may be ACEBot or GTBot. I found no traces of these Trojans. I have not ruled out a virus. The fact that this happens in regular windows explorer (not shortcut/link inside a browser) worries me. Thanks for everyone's $0.02. _______________________________ Eric Weaver > tcpdump: > > 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S > 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S > 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S > 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S > 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53: 161+ A? > hawking.res.cmu.edu. (37) > 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028: 161 NXDomain 0/1/0 (118) > (DF) > 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S > 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S > 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S > 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S > 3295637385:3295637385(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:51.775416 10.2.2.241.1956 > 204.152.189.113.21: S > 3299451469:3299451469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:54.804154 10.2.2.241.1957 > 216.10.106.189.21: S > 3300252651:3300252651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:30:57.712465 10.2.2.241.1958 > 204.152.189.113.21: S > 3301052975:3301052975(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:00.716285 10.2.2.241.1959 > 204.152.189.113.21: S > 3301854583:3301854583(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:03.721980 10.2.2.241.1960 > 209.250.0.132.21: S > 3302638469:3302638469(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:06.725382 10.2.2.241.1961 > 209.250.0.132.21: S > 3303448449:3303448449(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:13.857898 10.2.2.241.1984 > 206.100.24.34.21: S > 3306270291:3306270291(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:31:16.836273 10.2.2.241.1985 > 206.100.24.34.21: S > 3307075111:3307075111(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:02.060208 10.2.2.241.2004 > 198.133.219.27.21: S > 3319333584:3319333584(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:05.056510 10.2.2.241.2005 > 62.243.72.50.21: S > 3320119259:3320119259(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:08.009097 10.2.2.241.2006 > 129.128.5.191.21: S > 3320930893:3320930893(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:11.013294 10.2.2.241.2007 > 66.26.238.15.21: S > 3321738567:3321738567(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:23.459155 10.2.2.241.2024 > 204.152.189.113.21: S > 3325545579:3325545579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:26.462660 10.2.2.241.2025 > 216.10.106.189.21: S > 3326338384:3326338384(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:29.433905 10.2.2.241.2026 > 204.152.189.113.21: S > 3327134151:3327134151(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:32.436725 10.2.2.241.2027 > 204.152.189.113.21: S > 3327941671:3327941671(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:35.443518 10.2.2.241.2028 > 209.250.0.132.21: S > 3328724549:3328724549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:38.444911 10.2.2.241.2029 > 209.250.0.132.21: S > 3329535547:3329535547(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > 06:32:45.491534 10.2.2.241.2052 > 206.100.24.34.21: S > 3332310269:3332310269(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 08:37:29 PDT