Is this a virus?
From: Michael (Not-My-Real_Address_at_bigpond.net.au)
Date: 03/11/04
- Next message: NeoSadist: "Re: Is this a virus?"
- Previous message: dio: "user trainings - user questions"
- Next in thread: NeoSadist: "Re: Is this a virus?"
- Reply: NeoSadist: "Re: Is this a virus?"
- Reply: Nils Petter Vaskinn: "Re: Is this a virus?"
- Reply: Michael: "Re: Is this a virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Mar 2004 02:50:08 GMT
Linux gateway = Redhat
Suspect Computer = WinNT Workstation
I have recently checked my firewall logs and discovered that one of my
computers is trying to do netbios name server lookups on tcp port 137 with
random [as far as I can tell] remote hosts. Example from the logs are at
the end of ths post. It tries the same IP address 3 times then tries
another. It does this a couple of times a day. This appears to be virus
like activity - I get them incoming all the time.
Only one of the windows machines is doing it. The rest are not so it
appears that either its not trying to infect them or its very OS specific [I
only have one NT workstation].
I assumed it was a virus so I ran a full system scan with Nortons (after
ensuring the definitions were up to date) - nothing found.
I then suspected it may be a adware thing so I ran Spybot - found nothing.
There are no visible processes running I cannot account for, Spybot finds no
active X or BHOs I cannot account for. There is nothing in the usual
regisry positions I cannot account for (\run & \runservices)
ZoneAlarm does not show any programs trying to access the internet that I
have not authorised.
I am pretty much stumped.
The system is NT4 Workstation Build 1381 SP6 (I have 6a installed). IE
Version6 SP1 and system is up to date with critical patches according to
Microsoft.
Any suggestions about what could be causing this would be appraciated. The
only thing I can think of is the system has been rootkited and hiding bad
processes and files but don't know how to check for this.
In the meantime I want to cut it off from the outside world. I have
implemented egress filtering on the gateway but am concerned that it cannot
distinguish a mass mailer from an ordinary mailing programm. I intend to
assign a random tcp port to outgoing mail in the email client and have
iptables redirect the port to 25 before trying to contact the server. I can
then block port 25 coming from internal machines. I am not quite sure how
to do the iptables script for this. Any suggestions?
Michael
(example iptables log lines)
Mar 3 16:43:08 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=45909 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 3 16:43:10 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=46165 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 3 16:43:11 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=46421 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 3 16:43:13 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47189 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 3 16:43:15 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47445 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 3 16:43:16 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47701 PROTO=UDP
SPT=137 DPT=137 LEN=58
(Outgoing IP Counts)
Further to this below is a count of the destination addresses and the counts
for connection attempts the last few weeks. It seems to try semiconsecutive
addresses in an IP/24 range and then head off for another like many viruses
I have heard of.
DST=IPADDRESS Count
DST=12.130.12.31 3
DST=144.135.18.10 3
DST=144.135.19.10 3
DST=144.135.8.144 21
DST=144.135.8.150 36
DST=144.135.8.152 36
DST=144.135.8.158 30
DST=144.135.8.159 3
DST=144.135.8.160 3
DST=144.135.8.168 12
DST=144.135.8.169 42
DST=144.135.8.175 36
DST=144.135.8.185 36
DST=144.140.29.203 3
DST=192.168.1.1 3
DST=192.43.230.1 3
DST=195.141.106.190 3
DST=195.141.106.191 3
DST=203.49.108.34 27
DST=205.217.153.53 3
DST=205.217.153.54 3
DST=207.46.197.85 3
DST=212.113.20.69 3
DST=216.13.169.244 3
DST=216.239.53.99 3
DST=216.239.57.104 3
DST=216.239.57.99 3
DST=64.14.128.202 3
DST=64.15.229.69 33
DST=64.15.229.70 27
DST=64.15.229.71 33
DST=64.15.229.72 24
DST=64.69.191.202 33
DST=64.69.191.203 24
DST=64.94.110.12 3
DST=66.161.19.11 3
DST=69.2.40.97 3
- Next message: NeoSadist: "Re: Is this a virus?"
- Previous message: dio: "user trainings - user questions"
- Next in thread: NeoSadist: "Re: Is this a virus?"
- Reply: NeoSadist: "Re: Is this a virus?"
- Reply: Nils Petter Vaskinn: "Re: Is this a virus?"
- Reply: Michael: "Re: Is this a virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
