[Dshield] Some information regarding possible attack
sphull at oanet.com
Sat May 18 00:19:19 GMT 2002
One possibility is that you may have a trojan or worm which your anti-virus
can/doesn't see. Without knowing which OS you are using I'll assume it's
Wondows. One thing you could try is TDS3 and Wormguard from Wayne Langlois
in Australia. You can get TDS-3 and Wormguard from here:
http://www.diamondcs.com.au/ Hope this helps.
----- Original Message -----
From: "Saurabh Dass Manandhar" <saurabh at ku.edu.np>
To: <list at dshield.org>
Cc: <dshield at dshield.org>
Sent: Thursday, May 16, 2002 10:05 PM
Subject: [Dshield] Some information regarding possible attack
> Since I did not get any indication that this mail actually reached the
> list, i am sending it again. I am sorry if it is repeated.
> I don't know if this is the right place to discuss it, but I have this
> One of the machines running in our network, 18.104.22.168, is
> transmitting something to the Internet. I downloaded evaluation version of
> CommView 3.3 and saw that it was sending thousands of records to different
> IP addresses to TCP port 80. Upon analyzing the packets, found out that it
> had no data, just Ethernet, IP and TCP headers. Since it is sending tens
> thousands, if not hundreds of thousands, packets per minute to different
> destinations -- all on port 80 of destination machines -- the rest of the
> network has become very very slow. I have checked for viruses using latest
> anti virus and latest patches, but found no viruses. As a last ditch
> effort, I have removed it from network, but it is not a permanent
> I am attaching a file in txt format files with some packets.
> Can anyone help?
> Saurabh D. Manandhar
> Dept. of Computer Science and Engineering
> Kathmandu University
Outgoing mail is certified Virus Free by AVG Control Center.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.362 / Virus Database: 199 - Release Date: 07/05/2002
More information about the list