Security Basics mailing list archives
Trojan on my system ??
From: thunderstar () loop de
Date: 24 Oct 2005 16:03:53 -0000
Hi all, could it be, I have a trojan on my system ? If, yes, how could I find out ? rkhunter and chkrootkit did find nothing unusual. This is, what snort sent to me: Events between 10 23 15:45:53 and 10 23 21:20:59 Total events: 11 Signatures recorded: 3 Source IP recorded: 1 Destination IP recorded: 4 Events from same host to same destination using same method ========================================================================= # of from to method ========================================================================= 3 192.168.1.10 62.245.157.232 (http_inspect) IIS UNICODE CODEPOINT ENCODING 2 192.168.1.10 194.129.79.8 (portscan) TCP Portsweep 2 192.168.1.10 194.129.79.8 (portscan) TCP Portscan 2 192.168.1.10 216.113.178.120 (portscan) TCP Portsweep Percentage and number of events from a host to a destination ============================================================ % # of from to ============================================================ 36.36 4 192.168.1.10 194.129.79.8 27.27 3 192.168.1.10 62.245.157.232 18.18 2 192.168.1.10 216.113.178.120 18.18 2 192.168.1.10 66.135.192.85 Percentage and number of events from one host to any with same method ============================================================== % # of from method ============================================================== 45.45 5 192.168.1.10 (portscan) TCP Portsweep 27.27 3 192.168.1.10 (http_inspect) IIS UNICODE CODEPOINT ENCODING 27.27 3 192.168.1.10 (portscan) TCP Portscan Percentage and number of events to one certain host ================================================================= % # of to method ================================================================= 27.27 3 62.245.157.232 (http_inspect) IIS UNICODE CODEPOINT ENCODING 18.18 2 194.129.79.8 (portscan) TCP Portscan 18.18 2 194.129.79.8 (portscan) TCP Portsweep 18.18 2 216.113.178.120 (portscan) TCP Portsweep The distribution of event methods =============================================== % # of method =============================================== 45.45 5 (portscan) TCP Portsweep 2 192.168.1.10 -> 194.129.79.8 2 192.168.1.10 -> 216.113.178.120 1 192.168.1.10 -> 66.135.192.85 27.27 3 (http_inspect) IIS UNICODE CODEPOINT ENCODING 3 192.168.1.10 -> 62.245.157.232 27.27 3 (portscan) TCP Portscan 2 192.168.1.10 -> 194.129.79.8 1 192.168.1.10 -> 66.135.192.85 It seems, tha I do attacks to the web. Or does someone redirect some services from me ? Any clue is welcome ! Best regards Hans
Current thread:
- Trojan on my system ?? thunderstar (Oct 24)