[Dshield] Some information regarding possible attack

Ed Truitt ed.truitt at etee2k.net
Fri May 17 20:37:10 GMT 2002


What type of machine is this (what OS is it running?)  If Linux, you can
issue the command "netstat -ap"  which will give you a display of pretty
much anything running on TCP or UDP sockets, their status, and the PID of
the associated process.  For Windows, you can use "netstat -a" (at least, it
works on the Win9x machine I have).

Hopefully, this will give you some idea of what is generating the network
traffic.

I looked at the packets, and it looks like they all have the SYN flag set -
but nothing else.  That might explain the lack of a payload (data), as these
may be connection attempts.  An interesting lot - these IPs are all over the
place, some of them belong to fairly sensitive places (at least, I would
categorize the Defense Information Systems Agency as such.)

I hope you have good backups of your data.  Because, if you can't figure out
exactly what is sending this stuff, the best bet is to re-install the OS and
apps from known good source, apply all security patches, then re-install the
apps and restore the data from known good backups.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."


----- Original Message -----
From: "Saurabh Dass Manandhar" <saurabh at ku.edu.np>
To: <list at dshield.org>
Cc: <dshield at dshield.org>
Sent: Thursday, May 16, 2002 11:05 PM
Subject: [Dshield] Some information regarding possible attack


> Since I did not get any indication that this mail actually reached the
> list, i am sending it again. I am sorry if it is repeated.
>
> -------------------------
>
> I don't know if this is the right place to discuss it, but I have this
problem.
>
> One of the machines running in our network, 203.91.135.136, is
continuously
> transmitting something to the Internet. I downloaded evaluation version of
> CommView 3.3 and saw that it was sending thousands of records to different
> IP addresses to TCP port 80. Upon analyzing the packets, found out that it
> had no data, just Ethernet, IP and TCP headers. Since it is sending tens
of
> thousands, if not hundreds of thousands, packets per minute to different
> destinations -- all on port 80 of destination machines -- the rest of the
> network has become very very slow. I have checked for viruses using latest
> anti virus and latest patches, but found no viruses. As a last ditch
> effort, I have removed it from network, but it is not a permanent
solution.
> I am attaching a file in txt format files with some packets.
>
> Can anyone help?
>
> Saurabh D. Manandhar
> Dept. of Computer Science and Engineering
> Kathmandu University




More information about the list mailing list