[unisog] suspicious traffic to lmu.edu 157.242.56.68

Pat@350ZRoadsterClub pat at 350zroadsterclub.com
Wed Nov 16 02:59:53 GMT 2005


Has there been any follow up to traffic lmu has been receiving? ...I
just caught my computer sending this to lmu:

Process:
C:\WINDOWS\System32\svchost.exe
Using TCP (flag: S)

Tried to establish a connection.

Thanks,
Pat

-------------------------
Landau, Gary glandau at lmu.edu 
Fri Apr 1 21:55:52 GMT 2005 
Previous message: [unisog] challenge-response applications 
Next message: [unisog] RE: very high Inbound 1025 traffic increase 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 



We've had a big influx of port 1025 traffic as well.  It appears to be
some sort of worm and we've had three Windows 2000 servers infected.
They would run a process call SVHOST (not to be mistaken with SVCHOST)
and it would prevent them from installing security patches or running
TaskManager.

Cleaning them wasn't easy either.  Our Symantec anti-virus wouldn't
detect it, so we had to do a manual cleanup.  We had to boot in safe
mode and remove the registry calls that start up the SVHOST process, and
then delete the SVHOST file(s).

Gary Landau
Director, Network Services
Loyola Marymount University
glandau at lmu.edu

------------------------------

Message: 3
Date: Thu, 31 Mar 2005 13:51:36 -0600
From: "Harris, Michael C." <HarrisMC at health.missouri.edu>
Subject: RE: [unisog]very high Inbound 1025 traffic increase
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
Message-ID:
	<FFE408772285764C8F15260D3EC52B9401D60865 at
UM-EMAIL04.um.umsystem.edu>
Content-Type: text/plain;	charset="iso-8859-1"

Take a look at port 1025 on your border....

Huge ramp up in external inbound traffic tcp port 1025, no capture yet
but will forward one as I am able to retrieve one

------------------------------------
Mike Harris
System Security Analyst & Instructor
University Of Missouri Health Center
harrismc at health.missouri.edu  KCØPAH
------------------------------------



Listen to 24/7 Trance
http://MyTranceSpace.com





More information about the unisog mailing list