[Dshield] I think I caught something now what do I do?

Kelly Martin kmartin at pyrzqxgl.org
Wed Mar 20 15:41:19 GMT 2002


If I had to guess, I'd say you have one of the web worms on your system.
Connections going out from your machine to random HTTP servers elsewhere on
the net are highly characteristic of an active Nimda or Code Red infection.
It's especially suspicious that the host you're attempting to connect to
appears to be a "network neighbor" of yours (I conclude this from the fact
that you use Comcast's DNS servers, which would you would presumably only do
if you were a Comcast customer.)

The other possibility would be "webbugs" in incoming spams being
autodisplayed by a mail client such as Outlook Express's.  The first site
(the aux...dallas.net site) actually is a website (their ISP has their
reverse tables fouled up, but this is quite common) and appears to be owned
by company called "catalog.com" which appears to be an internet marketing
company.  These are exactly the sort of people who would put webbugs into
email (they do this to track who actually looks at their messages; it's a
way to validate email addresses).

Regards,

Kelly
----- Original Message -----
From: "Susan" <pobox2 at pinn.net>
To: <list at dshield.org>
Sent: Tuesday, March 19, 2002 11:04 PM
Subject: [Dshield] I think I caught something now what do I do?


> You have to open this up wide to unwrap the lines, but here it is, I've
> been sniffing my own line. I brought in some mail tonight and it shipped
> itself out or tried to connect me somewhere. But I have the feed so now
> what?
>
> first I get the mail: (XX.XX.XX.XX is me)
>
> Tue Mar 19 22:21:04 2002; TCP; eth0; 52 bytes; from mail.pinn.net:pop3
> to XX.XX.XX.XX:1171 (source MAC addr XX.XX.XX.XX); FIN acknowleged
> Tue Mar 19 22:21:04 2002; TCP; eth0; 52 bytes; from mail.pinn.net:pop3
> to XX.XX.XX.XX:1171 (source MAC addr XX.XX.XX.XX); FIN sent; 12 packets,
> 992 bytes
>
> Then a couple seconds later out goes a connection (and I didn't open
> anything or go anywhere) and obviously aux-209-217-33-145.dallas.net is
> not a website:
>
> Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1142 to
> aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN
> sent; 13 packets, 2291 bytes
> Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1140 to
> aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN
> sent; 13 packets, 2830 bytes
> Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1139 to
> aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN
> sent; 12 packets, 2762 bytes
> Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1141 to
> aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN
> sent; 15 packets, 2924 bytes
> Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1143 to
> aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN
> sent; 9 packets, 1542 bytes
>
> it's an interesting question
> whois --> "aux-209-217-33-145.dallas.net:http" ?
> and what did I send them?
>
> a couple minutes later I connect to the web:
>
> Tue Mar 19 22:23:19 2002; UDP; eth0; 67 bytes; source MAC address
> XX.XX.XX.XX; from XX.XX.XX.XX:1042 to
> ns02.centrl01.va.comcast.net:domain  - that's as should be, but where's
> the response?
>
> instead then next is an attempted connection from my machine to this
one...
>
> Tue Mar 19 22:23:19 2002; TCP; Connection XX.XX.XX.XX:1128 to
> pcp890158pcs.centrl01.va.comcast.net:http timed out, 5 packets, 300
> bytes; opposite direction 0 packets, 0 bytes
>
>
> whois --> pcp890158pcs.centrl01.va.comcast.net ?
> trying to masquerade as my dns? pcp890158pcs ?
> That is someones computer for pete's sake!
>
> I saw this happen the other night too to the same addresses which is why
> the heavy sniffer gear is going on.
>
>
> Anyone have any suggestions or ideas? John I will work on that procmail
> package as quick as can be! I checked all recent mail that came in and
> didn't find any links. It is perhaps this connection snuck in with the
> mail? we are being CONSTANTLY pounded. I put a bag over the modem so as
> not to have to look at it flashing incessantly.
>
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list