Is my XP box affected by DDOS virus?
- From: fc2004@xxxxxxxxx
- Date: 26 Feb 2006 19:18:01 -0800
Hi all,
My XP (sp2) box has been exposing strange behaviors for a few weeks,
basically my browsers will work for a few minutes after reboot and then
can't connect to any website afterwards. but pinging those websites
just works fine, and DNS (UDP) also works.
I did a simple analysis with ethereal, and found out whenever I was
connecting to a website (ip: x.y.z.w), a SYN packet was forged to be
sent to another IP address 140.20.191.20, which is within DOD NIC (I
remember there is a root DNS server there), and the source ip of the
SYN packet was x.y.z.w and not mine!
Looks like something malicious was intercepting my traffic and
regenerating false SYN requests. Interestingly, only web traffic was
hijacked (TCP port 80). If I login to my company's VPN server and then
quit, the web traffic becomes normal until I reboot again, I guess it's
probably that vpn used its own network DLLs to overwrite those
defaults.
I used MS antispyware and Symantec Antivirus and did not get anything
out. Anybody here had a similar experience? and any solution?
Thank you!
Fang
.
- Follow-Ups:
- Re: Is my XP box affected by DDOS virus?
- From: David H. Lipman
- Re: Is my XP box affected by DDOS virus?
- Prev by Date: Re: On shell code of DCOM
- Next by Date: Re: On shell code of DCOM
- Previous by thread: Re: vinetlink.exe
- Next by thread: Re: Is my XP box affected by DDOS virus?
- Index(es):
Relevant Pages
|
