[Dshield] Some information regarding possible attack
cbyrum at erp.com
Fri May 17 21:04:49 GMT 2002
On Thu, 2002-05-16 at 21:05, Saurabh Dass Manandhar wrote:
> I don't know if this is the right place to discuss it, but I have this problem.
> One of the machines running in our network, 22.214.171.124, is continuously
> transmitting something to the Internet. I downloaded evaluation version of
> CommView 3.3 and saw that it was sending thousands of records to different
> IP addresses to TCP port 80. Upon analyzing the packets, found out that it
> had no data, just Ethernet, IP and TCP headers. Since it is sending tens of
> thousands, if not hundreds of thousands, packets per minute to different
> destinations -- all on port 80 of destination machines -- the rest of the
This server is scanning the net for servers with an open port 80.
Date: Fri, 17 May 2002 20:58:28 GMT
Client-Date: Fri, 17 May 2002 20:58:30 GMT
Set-Cookie: ASPSESSIONIDQQQGQXBY=DAJNNNKCJHEMLGLEHCDAEBON; path=/
It returns HTTP headers that suggest it is running Windows 2000 with IIS
5.0. Most likely it is unpatched, and infected with a worm such as
> network has become very very slow. I have checked for viruses using latest
> anti virus and latest patches, but found no viruses. As a last ditch
This suggests that maybe its not Nimda, BUT; The only safe way to
"clean" your system once compromised is to backup your data, wipe the
disks clean, and install/patch from trusted media before putting it back
on the public internet. It wouldn't hurt to watch it very closely after
doing that as well.
> effort, I have removed it from network, but it is not a permanent solution.
> I am attaching a file in txt format files with some packets.
These are SYN packets... used to open a TCP connection.
More information about the list