Re: Is this a virus?

• Previous message: Michael: "Re: Is this a virus?"
• In reply to: Michael: "Is this a virus?"
• Next in thread: Brandon Mitchell: "Re: Is this a virus?"
• Reply: Brandon Mitchell: "Re: Is this a virus?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 13 Mar 2004 08:50:52 GMT

"Michael" <Not-My-Real_Address@bigpond.net.au> wrote in message
news:AtQ3c.97752$Wa.53339@news-server.bigpond.net.au...
> Linux gateway = Redhat
> Suspect Computer = WinNT Workstation

After collecting more details logs it turned out this is a problem with the
linux machine. There was nothing wrong with what the windows-nt machine was
doing.

> I have recently checked my firewall logs and discovered that one of my
> computers is trying to do netbios name server lookups on tcp port 137 with
> random [as far as I can tell] remote hosts. Example from the logs are at
> the end of ths post. It tries the same IP address 3 times then tries
> another. It does this a couple of times a day. This appears to be virus
> like activity - I get them incoming all the time.
>
> Only one of the windows machines is doing it. The rest are not so it
> appears that either its not trying to infect them or its very OS specific
[I
> only have one NT workstation].
>
> I assumed it was a virus so I ran a full system scan with Nortons (after
> ensuring the definitions were up to date) - nothing found.
>
> I then suspected it may be a adware thing so I ran Spybot - found nothing.
>
> There are no visible processes running I cannot account for, Spybot finds
no
> active X or BHOs I cannot account for. There is nothing in the usual
> regisry positions I cannot account for (\run & \runservices)
>
> ZoneAlarm does not show any programs trying to access the internet that I
> have not authorised.
>
> I am pretty much stumped.
>
> The system is NT4 Workstation Build 1381 SP6 (I have 6a installed). IE
> Version6 SP1 and system is up to date with critical patches according to
> Microsoft.
>
> Any suggestions about what could be causing this would be appraciated.
The
> only thing I can think of is the system has been rootkited and hiding bad
> processes and files but don't know how to check for this.
>
> In the meantime I want to cut it off from the outside world. I have
> implemented egress filtering on the gateway but am concerned that it
cannot
> distinguish a mass mailer from an ordinary mailing programm. I intend to
> assign a random tcp port to outgoing mail in the email client and have
> iptables redirect the port to 25 before trying to contact the server. I
can
> then block port 25 coming from internal machines. I am not quite sure how
> to do the iptables script for this. Any suggestions?
>
> Michael
>
> (example iptables log lines)
>
> Mar 3 16:43:08 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=45909 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:10 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=46165 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:11 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.69 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=46421 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:13 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47189 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:15 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47445 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 3 16:43:16 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=64.15.229.70 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=47701 PROTO=UDP
> SPT=137 DPT=137 LEN=58

• Previous message: Michael: "Re: Is this a virus?"
• In reply to: Michael: "Is this a virus?"
• Next in thread: Brandon Mitchell: "Re: Is this a virus?"
• Reply: Brandon Mitchell: "Re: Is this a virus?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]