Re: Anyone seen this?

From: Bryan D. Payne (bdpayne@cs.umd.edu)
Date: 08/27/02 

Date: Tue, 27 Aug 2002 13:53:05 -0400 (EDT)
From: "Bryan D. Payne" <bdpayne@cs.umd.edu>
To: "Gary R. Porter" <gary.porter@matcomcorp.com>

Have you tried comparing MD5 checksums of the apache that you downloaded
and a "known good" version? If the checksums fail, of course, you should
contact the location that you downloaded the bad version from to let them
know that they have a problem.

Also, is Apache the only new / updated software on that machine? I'd
agree that this looks rather suspect.

-bryan

On Mon, 26 Aug 2002, Gary R. Porter wrote:

> A co-worker in the office loaded what he thought was a standard download of
> Apache and soon thereafter his machine started trying to reach a wide
> assortment of addresses on seemingly random ports that our firewall is not
> configured to let out, resulting in internal netprobes. Many of the
> addresses look suspicious. Has anyone seen this type of thing before?
>
> Aug 26 15:54:51 tcp (source IPADD) 2774 209.61.184.227 6346
> Aug 26 15:54:51 tcp XX.XXX.XXX.XX 2766 CPE-144-137-30-210. 5605
> Aug 26 15:54:51 tcp XX.XXX.XXX.XX 2767 usr1271-udd.blueyon 9613
> Aug 26 15:54:52 tcp XX.XXX.XXX.XX 2768 161.45.178.190 7867
> Aug 26 15:54:52 tcp XX.XXX.XXX.XX 2769 12-249-40-71.client 8386
> Aug 26 15:54:53 tcp XX.XXX.XXX.XX 2770 N890P015.adsl.highw 6226
> Aug 26 15:54:53 tcp XX.XXX.XXX.XX 2771 209-124-131-186.pep 4396
> Aug 26 15:54:54 tcp XX.XXX.XXX.XX 2774 209.61.184.227 6346
> Aug 26 15:54:54 tcp XX.XXX.XXX.XX 2772 0x503e2304.arcnxx12 8740
> Aug 26 15:54:54 tcp XX.XXX.XXX.XX 2773 dyn-168-11.paonline 8922
> Aug 26 15:54:56 tcp XX.XXX.XXX.XX 2775 209-124-131-186.pep 4396
> Aug 26 15:54:57 tcp XX.XXX.XXX.XX 2776 226-232-234-66.tran 6840
> Aug 26 15:54:58 tcp XX.XXX.XXX.XX 2775 209-124-131-186.pep 4396
> Aug 26 15:54:59 tcp XX.XXX.XXX.XX 2776 226-232-234-66.tran 6840
> Aug 26 15:55:00 tcp XX.XXX.XXX.XX 2774 209.61.184.227 6346
> Aug 26 15:55:01 tcp XX.XXX.XXX.XX 2777 209.61.184.225 6346
> Aug 26 15:55:02 tcp XX.XXX.XXX.XX 2778 0x503e2304.arcnxx12 8740
> Aug 26 15:55:04 tcp XX.XXX.XXX.XX 2777 209.61.184.225 6346
> Aug 26 15:55:04 tcp XX.XXX.XXX.XX 2775 209-124-131-186.pep 4396
> Aug 26 15:55:05 tcp XX.XXX.XXX.XX 2778 0x503e2304.arcnxx12 8740
> Aug 26 15:55:05 tcp XX.XXX.XXX.XX 2776 226-232-234-66.tran 6840
> Aug 26 15:55:08 tcp XX.XXX.XXX.XX 2779 209-124-131-186.pep 4396
> Aug 26 15:55:10 tcp XX.XXX.XXX.XX 2777 209.61.184.225 6346
> Aug 26 15:55:10 tcp XX.XXX.XXX.XX 2780 226-232-234-66.tran 6840
> Aug 26 15:55:11 tcp XX.XXX.XXX.XX 2779 209-124-131-186.pep 4396
>
> Gary R. Porter
> Program Manager, CITS Mobile Training
> MATCOM Corporation
> 757-838-0212 (w)
> 757-897-5830 (m)
> gary.porter@matcomcorp.com
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Quantcast