Possible Virus or worm -- suggestions please!!!

From: Ringo Langly (rlangly_at_gmail.com)
Date: 06/30/04 

Date: 30 Jun 2004 07:02:05 -0700

Hi all,

On our network yesterday we were down due to a VERY peculiar issue
that I can only think is a virus. At sometime around 8am CST
yesterday (June 29th) we had 4 PC's on our network start sending http
packets to the website www.energex.com.au, but each packet went
sequentially through IP addresses. After 250 or so IP's it totally
changed IP's and started going up again.

We think the PC's also spoofed MAC addresses, so it was almost
impossible to track down where they were. The only way we were able
to see the traffic was via our firewall server, which we disconnected
from the Internet as to stop the DoS attack it was apparently trying
to do.

After basically going port by port in our computer room trying to find
where these computers were at, we found that 2 were off-site coming in
via T-1, one was within the local building, and one we never did track
down. Since the destination did not change we blocked the packets at
the router level based on destination which made the network useable.

This morning it's gone... like it never happened. With the filters on
our routers turned off, we're seeing zero abnormal traffic going to
the energex website, and we're still not sure where the 4 PC's are.

Has anyone else ran into this issue? I've found worms that broadcast
to sequential IP addresses, but none that actually change the source
of the packet to a sequential IP. This also appeared to be a DoS
attack on www.energex.com.au, but i've found no other references to
anyone with this problem. We're in Texas, which is quite a few miles
away from Australia, so not sure why anyone would try to start this
from our network.

Suggestions or comments please! We're going over our network with a
fine tooth comb right now, and though all is back to normal now,
things are still locked-down.

Thanks for any light that can be shead on this. Oh, and if this
helps, our network is basically Windows clients (from 98 through XP),
all servers are Windows from NT 4.0 through 2003 (with a few Linux
boxes sprinkled in), and most of our routers are Cisco.

- Ringo -

Relevant Pages

  • Re: Ethernet issue: works one way but not another
    ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ...
    (freebsd-questions)
  • Re: IDSIPS that can handle one Gig
    ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • Re: Update: UDP 770 Potential Worm
    ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
    (Incidents)
  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: Update: UDP 770 Potential Worm
    ... > were no packets indicating some form of replication. ... > my capture was limited due to the switched ... to see if the problem occurs on the test network, ... The proxy had already been isolated from the ...
    (Incidents)