Re: [Full-Disclosure] Transamericana.org

• Previous message: Jonathan Heusser: "[Full-Disclosure] C Code Analyzer"
• In reply to: Antonio Henrique Oliveira: "Re: [Full-Disclosure] Transamericana.org"
• Next in thread: Michael Rutledge: "Re: [Full-Disclosure] Transamericana.org"
• Reply: Michael Rutledge: "Re: [Full-Disclosure] Transamericana.org"
• Reply: Antonio Henrique Oliveira: "Re: [Full-Disclosure] Transamericana.org"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 29 Jan 2005 08:53:31 -0600
To: Antonio Henrique Oliveira <tat@postmark.net>

This may be a stretch (a large stretch), but someone could have
planted something on your Windows box that is using pings as a covert
channel (given that person has also taken control of the webserver
that hosts transamericana.org and can watch the connection logs). Do
you have a capture of the pings for someone to do a frequency analysis
on?

Also, you may want to post a list of your currently running processes
in hopes someone may spot something that looks wrong.

-Michael

On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira
<tat@postmark.net> wrote:
> Gregh wrote:
> > ----- Original Message -----
> > From: "Antonio Henrique Oliveira" <tat@postmark.net>
> > To: <full-disclosure@lists.netsys.com>
> > Sent: Saturday, January 29, 2005 9:46 PM
> > Subject: [Full-Disclosure] Transamericana.org
> >
> >
> >
> >>Dear all,
> >>
> >>Please excuse me if this is a bit off-topic, but since this is the only
> >>IT related mailing list I subscribe (apart from Secunia's) I decided to
> >>post here.
> >>
> >>From sometime ago (I cannot determine exactly when this started to
> >>happen), my workstation (WinXP SP2 PT, fully patched) has been sending
> >>out ping requests to www.transamericana.org when I login to the machine
> >>(right at the beginning of the login process, and only at that time).
> >>
> >
> >
> > Perchance is your DNS hosted there? Eg, your ISP's DNS servers?
> >
> > Greg.
> No. The Linux box runs bind for the internal (and external) networks and
> does direct queries to the root servers, not using our ISP's DNS. The
> internal network is configured with DHCP and the DNS server for all
> hosts is set to the linux box internal address. Also, my workstation
> (and there are 5 more) is the only one doing this.
>
> Regards,
> --
> Anto'nio Henrique A. Proenca de Oliveira
>
> "Although we can never go back, like an old sweet song with a strong
> refrain, memories remain" - (Someone)
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html
> $Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Jonathan Heusser: "[Full-Disclosure] C Code Analyzer"
• In reply to: Antonio Henrique Oliveira: "Re: [Full-Disclosure] Transamericana.org"
• Next in thread: Michael Rutledge: "Re: [Full-Disclosure] Transamericana.org"
• Reply: Michael Rutledge: "Re: [Full-Disclosure] Transamericana.org"
• Reply: Antonio Henrique Oliveira: "Re: [Full-Disclosure] Transamericana.org"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]