Odd activity.

From: cw (cw@fidei.co.uk)
Date: 08/12/02 

From: cw <cw@fidei.co.uk>
To: <incidents@securityfocus.com>
Date: Mon, 12 Aug 2002 09:45:23 +0100

Hi there.
At the end of last week I was having problems with my laptop. Half the time it would freeze when booting whilst at one point I was seeing some odd process activity. At 24 second intervals I would see a burst of activity (~70% CPU utilisation) and the computer would lock at the same time. I have just checked the firewall log of my desktop to see something I wasn't expecting.

First off there are loads of blocked entries blocked for ip protocol 60.
I then saw a scrambled portscan of ports 50000-50099. By scrambled I mean out no discernable order (then again number patterns was my worst area of maths). Each scan is three packets to the port and some ports were repeated.

Last week I hadn't noticed the unusual log entries. As it coincided with me putting Service Pack 3 on my machine (Win2K) I assumed that was the cause so I wiped the root partition and reinstalled. I do have another partition on the drive

Does this pattern look familiar to anyone? I did run a viruscan on the machine prior to reinstalling (McAfee 5.21.1000, Engine 4.1.60, Dats 4.04.4217) which found nothing and I was running a firewall (Kerio). I'd also made sure to kill and disable every service that wasn't explicitly needed which is basically everything except what is needed for the operating system to run.

Has anyone got any tips on what I should look for on the other partition incase anything was left there?

Cheers,
Colin.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: /usr/home re ports
    ... I would agree that from the pov of compiling large ports ... having a large partition is desirable and that is why home is ... boot process before encryption kicks in? ... I want to compile open office next. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: /usr/home re ports
    ... I would agree that from the pov of compiling large ports ... having a large partition is desirable and that is why home is ... boot process before encryption kicks in? ...
    (comp.unix.bsd.freebsd.misc)
  • RE: Odd scan
    ... > ports have in common. ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: /usr/home re ports
    ... I would agree that from the pov of compiling large ports ... Will /usr stand encryption? ... why not make /home a separate partition. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Making ports in alternative areas
    ... > I'm running low on disc space on my /usr partition and I would like to ... > compile a program from the ports that is rather large. ... Tar up the stuff you want to move. ...
    (freebsd-questions)