Security Basics mailing list archives
Zombie / Botnet?
From: Tony Raboza <tonyraboza () gmail com>
Date: Tue, 10 Nov 2009 20:05:20 +0800
Hi, One of our workstations is broadcasting a huge amount of UDP traffic (around 5Mbps) and I'm thinking it could be a zombied computer doing DDOS as directed by its controller. But the weird thing is - it has an updated McAfee AV with HIPS ?? Why was this not detected - or could I be reading this wrong? Here's a portion of the tcpdump: 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr: UDP, length 1000 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP, length 1000 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496: UDP, length 1000 14:00:20.521733 IP 192.168.10.10.brcm-comm-port > b.root-servers.net.4710: UDP, length 1000 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826: UDP, length 1000 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997: UDP, length 1000 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy > E.ROOT-SERVERS.NET.funk-license: UDP, length 1000 14:00:20.526385 IP 192.168.10.10.firemonrcc > f.root-servers.net.sonuscallsig: UDP, length 1000 14:00:20.527798 IP 192.168.10.10.spandataport > G.ROOT-SERVERS.NET.4130: UDP, length 1000 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp: UDP, length 1000 14:00:20.529947 IP 192.168.10.10.ncu-1 > i.root-servers.net.direcpc-dll: UDP, length 1000 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer: UDP, length 1000 14:00:20.538422 IP 192.168.10.10.embrace-dp-s > 77.91.227.67.bluelance: UDP, length 1000 14:00:20.538712 IP 192.168.10.10.embrace-dp-c > a.root-servers.net.embrace-dp-s: UDP, length 1000 14:00:20.540010 IP 192.168.10.10.dmod-workspace > b.root-servers.net.bvcontrol: UDP, length 1000 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925: UDP, length 1000 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart > b.root-servers.net.bnt-manager: UDP, length 1000 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864: UDP, length 1000 14:00:20.542941 IP 192.168.10.10.netwatcher-mon > c.root-servers.net.sbi-agent: UDP, length 1000 14:00:20.544113 IP 192.168.10.10.netwatcher-db > d.root-servers.net.4467: UDP, length 1000 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP, length 1000 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374: UDP, length 1000 == Its sending UDP traffic to the root nameservers .... Any ideas? Thanks. Best, Tony ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Zombie / Botnet? Tony Raboza (Nov 10)
- Re: Zombie / Botnet? Jay Vlavianos (Nov 10)
- Re: Zombie / Botnet? Trojacek (Nov 10)
- Re: Zombie / Botnet? Drew Brown (Nov 10)
- RE: Zombie / Botnet? Barry Raveendran Greene (Nov 10)
- Re: Zombie / Botnet? Kurt Buff (Nov 10)
- RE: Zombie / Botnet? Murda Mcloud (Nov 12)
- Message not available
- Re: Zombie / Botnet? Tony Raboza (Nov 12)
- Re: Zombie / Botnet? Jay Vlavianos (Nov 10)
- <Possible follow-ups>
- Re: Zombie / Botnet? surangkana . r (Nov 10)