[Dshield] My server is an attacker
David Kennedy CISSP
david.kennedy at acm.org
Fri Oct 25 05:25:57 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
At 02:28 PM 10/24/02 +0000, mathieu008 . wrote:
>Your IP (xxx.xxx.xxx.xxx) appears as an
>attacker 7 times in the DShield database.
>This thing really looks like a Trojan or something on my PDC (which
>is used as a proxy for my users too). Everything is my Lan is
>behind a Pix Firewall.
So to the outside world, all your machines appear to be one IP
address? If so, one or several inside machines may be to blame,
based on those source ports and dates, maybe two 2382-4 and 2102-2106
but I'd guess one. The logs you read were from the PIX or the PDC?
Try the PIX if you didn't already. Or try netflow logs to find the
With all destination ports of 80 it could be some kind of web server
glitch. Nimda's the most common port 80 trojan and they usually come
in groups larger than four.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: hacker=cybercriminal--the definition changed; get over it
-----END PGP SIGNATURE-----
David Kennedy CISSP /"\
Director of Research Services, \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com X Against HTML Mail
Protect what you connect; / \
Look both ways before crossing the Net.
More information about the list