> The problem is, I am detecting a suspicious hit/respond > activity, which, in my opinion, points to an active > bot. No offense, dude, but you're freaking out over nothing. Based on the information you provided, there IS no bot (remember "The Matrix"? "There is no spoon"). > Here's the evidence: when inspecting ZA logs, you can > see a blocked scan (coming every couple of minutes, > from arbitrary addresses The "scans" you're referring to look like NetBIOS name scans...queries to UDP port 137. On normal MS networks, these "scans" would originate from UDP port 137, as well. So...they MAY be scans of some kind. However, the fact that your system is responding would be indicative of something else, possibly w/ your ZA installation. > - I bet they're spoofed Well, that's not "evidence", now, is it? Also, since your logs don't show an ICMP port unreachable response (your system sent out a UDP datagram), that would indicate that, in fact, the source IPs are NOT spoofed. Also, there's nothing in the netstat and fport outputs that you sent that seem to indicate that you have any sort of bot or trojan at all. Is there anything besides the traffic you posted that would lead you to believe that you had something installed on your system? HTH __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 23:11:46 PST