We were infected with the variant that uses udp 4156 Sunday night. There was quite a bit of scanning on various ports thereafter, logged by the firewall. There was one very odd scan that has me concerned. The firewall logged packets going from a different server, not the infected one, to 212.82.211.42: Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0 SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664 PROTO=UDP SPT=1370 DPT=33501 LEN=18 There are eight of these messages with DPT proceeding sequential from 33501 to 33508, inclusive, within 30 seconds. Questions: Was this other host infected with something? I have searched it but been unable to find any traces of hacking. Assuming w.x.y.z hasn't been cracked, how did someone convince my server to try to contact 212.82.211.42? Any other insight or advice? Thanks. -Gordon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 19:57:04 PDT