That don't look good!

From: Adam Shephard (adam.shephard@firstfederalbanking.com)
Date: 10/02/01


Message-ID: <315154A4F911D2118D9E00805FA9C2C62A6AF5@nt0016a03>
From: Adam Shephard <adam.shephard@firstfederalbanking.com>
To: focus-linux@securityfocus.com
Subject: That don't look good!
Date: Tue, 2 Oct 2001 14:41:18 -0500 

Hey all,

I'm hoping somebody can give me an honest, "don't worry, it's nothing" kind
of answer but I don't really see that happening.

This weekend I started getting entries in my FW logs indicating that
outbound packets were denied. The addresses were spoofed-all either 172. or
10.. This happens every day starting a couple of minutes before noon and
goes on for 15 minutes exactly. During that time I get between 80 and 100
entries, all denied (I log allows too). Then it stops until the next day.

Just based on the timing of this, I would guess that it was Nimda-based but
I've read nothing about these kinds of symptoms. Plus I've used a couple of
different Nimda scanners, searched for eml and nws and readme.exe files till
I was blue and everything passes.

Nothing seems to be getting out that shouldn't. I've scanned myself many
times in the past few days with no response on anything. Logs aside, near as
I can tell, everything is fine. It's just that the whole nature of this
thing is enough to make me wonder why I didn't drop out of high-school and
join a band-cause, you know, there's chicks!

Any ideas?

Adam Shephard
~Nothing exceeds like excess~