[Dshield] Some information regarding possible attack

Clint Byrum cbyrum at erp.com
Fri May 17 21:04:49 GMT 2002

On Thu, 2002-05-16 at 21:05, Saurabh Dass Manandhar wrote:
> I don't know if this is the right place to discuss it, but I have this problem.
> One of the machines running in our network,, is continuously 
> transmitting something to the Internet. I downloaded evaluation version of 
> CommView 3.3 and saw that it was sending thousands of records to different 
> IP addresses to TCP port 80. Upon analyzing the packets, found out that it 
> had no data, just Ethernet, IP and TCP headers. Since it is sending tens of 
> thousands, if not hundreds of thousands, packets per minute to different 
> destinations -- all on port 80 of destination machines -- the rest of the 

This server is scanning the net for servers with an open port 80.

200 OK
Cache-Control: private
Connection: close
Date: Fri, 17 May 2002 20:58:28 GMT
Server: Microsoft-IIS/5.0
Content-Length: 1270
Content-Type: text/html
Client-Date: Fri, 17 May 2002 20:58:30 GMT
Client-Response-Num: 1

It returns HTTP headers that suggest it is running Windows 2000 with IIS
5.0. Most likely it is unpatched, and infected with a worm such as

> network has become very very slow. I have checked for viruses using latest 
> anti virus and latest patches, but found no viruses. As a last ditch 

This suggests that maybe its not Nimda, BUT; The only safe way to
"clean" your system once compromised is to backup your data, wipe the
disks clean, and install/patch from trusted media before putting it back
on the public internet. It wouldn't hurt to watch it very closely after
doing that as well.

> effort, I have removed it from network, but it is not a permanent solution. 
> I am attaching a file in txt format files with some packets.

These are SYN packets... used to open a TCP connection.


Clint Byrum

More information about the list mailing list