THX!..Re: hacker,virus,spyware? what is it?
From: ScottF (scottf_at_starlitetheatre.com)
Date: 04/29/03
- Next message: Karl Levinson [x y] mvp: "Re: trickler_4010.exe"
- Previous message: AS: "Re:Re: test"
- In reply to: Karl Levinson [x y] mvp: "Re: hacker,virus,spyware? what is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Apr 2003 10:11:55 -0700
Thanks very much for these helpful replies. I will begin
checking based on the info you have given me. I didn't
really check the target IPs. most of them were already
resolved as yahoo.com, several different geocities.com
and a couple were unresolved IP numbers. I still have
record of them, so I will check to see what they resolve
as.
>-----Original Message-----
>What do you see when you look up the target IP addresses
at
>www.network-tools.com and
http://visualroute.visualware.com ? Does that
>offer any clues as to what this is? Also, I'd be
curious to know what the
>protocol [tcp, udp, etc] and the other port number is..
incrementing port
>numbers could indicate that these are actually responses
to a previously
>received communication from a client of some sort.
>
>If this is on your network, another thing to do is to
try to track down
>where it is. pinging the IP address from the local
subnet then doing
> ARP -a should hopefully give you the MAC address...
then you could
>search www.google.com for one of many lists of mac
address vendors to see
>what type of NIC card it is. These things might
advertize your presence to
>someone who might be controlling that device, but
running free utilities
>like NBTSTAT -A ipaddress and/or nmap and/or superscan
from
>www.foundstone.com/knowledge and/or getacct from
www.securityfriday.com
>and/or winfingerprint all might give you additional
information about who
>or what is on that device. An IDS like www.snort.org
might also be useful
>at some point.
>
>Once you've located the device and interviewed the
person that owns or uses
>it, the following might be useful in looking for signs
of something
>malicious:
>
>http://securityadmin.info/faq.htm#hacked
>http://securityadmin.info/faq.htm#re-secure
>http://securityadmin.info/faq.htm#harden
>
>
>
>"scott" <scottf@starlitetheatre.com> wrote in message
>news:043701c30e32$74187760$a301280a@phx.gbl...
>> I am a very green administrator of a 50 client network,
>> mostly made up of Windows 98 clients. We are running
>> Small Business Server in one domain and NT 4.0 on
another
>> (dont ask why, its a long and ridiculous story LOL). I
>> was transferred to this job when our business nearly
>> closed down for a few days from a horrible rash of
>> bugbear. I recently switched our whole client base over
>> to static IP's so I could get a better idea of exactly
>> what was happening on our network. Last night as I
>> watched the network log incoming from the router, I
>> noticed something very strange. There was an IP address
>> that read "dead" on the IP scanner, but it was
>> broadcasting packets to the internet through an
>> incremental series of ports. It started at around port
>> #1100 and incremented its way up to over 2000. It was
>> broadcasting to the same three or four internet
>> addresses. Then it stopped. Then about 5 minutes later
it
>> started again, this time from a different IP address on
>> our network, and broadcasting to several different
>> addresses, but this time different ones from before. I
>> immediately filtered access to the internet for every
>> client that did not absolutely have to have it, but
that
>> still leaves over 50 IPs for it to use. Does anyone
know
>> what this is, and/ or what I can do about it?
>
>
>.
>
- Next message: Karl Levinson [x y] mvp: "Re: trickler_4010.exe"
- Previous message: AS: "Re:Re: test"
- In reply to: Karl Levinson [x y] mvp: "Re: hacker,virus,spyware? what is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
