Re: Anyone seen this?

From: Bryan D. Payne (bdpayneat_private)
Date: Tue Aug 27 2002 - 10:53:05 PDT

Next message: Richard L. Anderson: "2002/udp flood"

Previous message: Christopher Cramer: "Re: Trojan? DDOS Bot?"
In reply to: Gary R. Porter: "Anyone seen this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Have you tried comparing MD5 checksums of the apache that you downloaded
and a "known good" version?  If the checksums fail, of course, you should
contact the location that you downloaded the bad version from to let them
know that they have a problem.

Also, is Apache the only new / updated software on that machine?  I'd
agree that this looks rather suspect.

-bryan


On Mon, 26 Aug 2002, Gary R. Porter wrote:

> A co-worker in the office loaded what he thought was a standard download of
> Apache and soon thereafter his machine started trying to reach a wide
> assortment of addresses on seemingly random ports that our firewall is not
> configured to let out, resulting in internal netprobes.  Many of the
> addresses look suspicious.  Has anyone seen this type of thing before?
>
> Aug 26 15:54:51  tcp  (source IPADD)  2774      209.61.184.227    6346
> Aug 26 15:54:51  tcp  XX.XXX.XXX.XX   2766 CPE-144-137-30-210.    5605
> Aug 26 15:54:51  tcp  XX.XXX.XXX.XX   2767 usr1271-udd.blueyon    9613
> Aug 26 15:54:52  tcp  XX.XXX.XXX.XX   2768      161.45.178.190    7867
> Aug 26 15:54:52  tcp  XX.XXX.XXX.XX   2769 12-249-40-71.client    8386
> Aug 26 15:54:53  tcp  XX.XXX.XXX.XX   2770 N890P015.adsl.highw    6226
> Aug 26 15:54:53  tcp  XX.XXX.XXX.XX   2771 209-124-131-186.pep    4396
> Aug 26 15:54:54  tcp  XX.XXX.XXX.XX   2774      209.61.184.227    6346
> Aug 26 15:54:54  tcp  XX.XXX.XXX.XX   2772 0x503e2304.arcnxx12    8740
> Aug 26 15:54:54  tcp  XX.XXX.XXX.XX   2773 dyn-168-11.paonline    8922
> Aug 26 15:54:56  tcp  XX.XXX.XXX.XX   2775 209-124-131-186.pep    4396
> Aug 26 15:54:57  tcp  XX.XXX.XXX.XX   2776 226-232-234-66.tran    6840
> Aug 26 15:54:58  tcp  XX.XXX.XXX.XX   2775 209-124-131-186.pep    4396
> Aug 26 15:54:59  tcp  XX.XXX.XXX.XX   2776 226-232-234-66.tran    6840
> Aug 26 15:55:00  tcp  XX.XXX.XXX.XX   2774      209.61.184.227    6346
> Aug 26 15:55:01  tcp  XX.XXX.XXX.XX   2777      209.61.184.225    6346
> Aug 26 15:55:02  tcp  XX.XXX.XXX.XX   2778 0x503e2304.arcnxx12    8740
> Aug 26 15:55:04  tcp  XX.XXX.XXX.XX   2777      209.61.184.225    6346
> Aug 26 15:55:04  tcp  XX.XXX.XXX.XX   2775 209-124-131-186.pep    4396
> Aug 26 15:55:05  tcp  XX.XXX.XXX.XX   2778 0x503e2304.arcnxx12    8740
> Aug 26 15:55:05  tcp  XX.XXX.XXX.XX   2776 226-232-234-66.tran    6840
> Aug 26 15:55:08  tcp  XX.XXX.XXX.XX   2779 209-124-131-186.pep    4396
> Aug 26 15:55:10  tcp  XX.XXX.XXX.XX   2777      209.61.184.225    6346
> Aug 26 15:55:10  tcp  XX.XXX.XXX.XX   2780 226-232-234-66.tran    6840
> Aug 26 15:55:11  tcp  XX.XXX.XXX.XX   2779 209-124-131-186.pep    4396
>
> Gary R. Porter
> Program Manager, CITS Mobile Training
> MATCOM Corporation
> 757-838-0212 (w)
> 757-897-5830 (m)
> gary.porterat_private
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Richard L. Anderson: "2002/udp flood"
Previous message: Christopher Cramer: "Re: Trojan? DDOS Bot?"
In reply to: Gary R. Porter: "Anyone seen this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 13:18:13 PDT