Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Trojan on my system ??

From: thunderstar () loop de
Date: 24 Oct 2005 16:03:53 -0000
Hi all,

could it be, I have a trojan on my system ? If, yes, how could I find out ? rkhunter and chkrootkit did find nothing 
unusual.

This is, what snort sent to me:
Events between  10 23 15:45:53  and  10 23 21:20:59
Total events: 11
Signatures recorded: 3
Source IP recorded: 1
Destination IP recorded: 4


Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
    3  192.168.1.10     62.245.157.232   (http_inspect) IIS UNICODE CODEPOINT ENCODING
    2  192.168.1.10     194.129.79.8     (portscan) TCP Portsweep
    2  192.168.1.10     194.129.79.8     (portscan) TCP Portscan
    2  192.168.1.10     216.113.178.120  (portscan) TCP Portsweep


Percentage and number of events from a host to a destination
============================================================
  %    # of  from             to               
============================================================
36.36     4  192.168.1.10     194.129.79.8   
27.27     3  192.168.1.10     62.245.157.232 
18.18     2  192.168.1.10     216.113.178.120
18.18     2  192.168.1.10     66.135.192.85  


Percentage and number of events from one host to any with same method
==============================================================
  %    # of  from             method
==============================================================
45.45     5  192.168.1.10     (portscan) TCP Portsweep    
27.27     3  192.168.1.10     (http_inspect) IIS UNICODE CODEPOINT ENCODING
27.27     3  192.168.1.10     (portscan) TCP Portscan     


Percentage and number of events to one certain host
=================================================================
  %    # of  to               method
=================================================================
27.27     3  62.245.157.232   (http_inspect) IIS UNICODE CODEPOINT ENCODING
18.18     2  194.129.79.8     (portscan) TCP Portscan     
18.18     2  194.129.79.8     (portscan) TCP Portsweep    
18.18     2  216.113.178.120  (portscan) TCP Portsweep    


The distribution of event methods
===============================================
  %    # of  method
===============================================
45.45     5  (portscan) TCP Portsweep        
                 2     192.168.1.10    -> 194.129.79.8   
                 2     192.168.1.10    -> 216.113.178.120
                 1     192.168.1.10    -> 66.135.192.85  
27.27     3  (http_inspect) IIS UNICODE CODEPOINT ENCODING
                 3     192.168.1.10    -> 62.245.157.232 
27.27     3  (portscan) TCP Portscan         
                 2     192.168.1.10    -> 194.129.79.8   
                 1     192.168.1.10    -> 66.135.192.85  


It seems, tha I do attacks to the web. Or does someone redirect some services from me ?

Any clue is welcome !

Best regards

Hans
Previous By Date Next
Previous By Thread Next

Current thread: