Firewall Wizards mailing list archives

Re: worm?

From: "Julian M. Dragut" <julianmd () gmail com>
Date: Thu, 1 Feb 2007 16:59:01 -0500

Phel
http://www.symantec.com/security_response/writeup.jsp?docid=2004-122717-5050-99&tabid=2

downloads and executes Coreflood

http://www.symantec.com/security_response/writeup.jsp?docid=2002-112912-2439-99

which doesn't sound like your problem.

On 2/1/07, Paul D. Robertson <paul () compuwar net> wrote:

On Thu, 1 Feb 2007, Brian Loe wrote:

One of our support technician's machines is attempting to connect to
random IP addresses on port 25 - in a pretty needy fashion. He says
he's scanned the box with the latest updates from McAffee and it
hasn't found anything.

We discovered it because one of my basic (meaning I got it off the
'Net) rules for SEC flagged it as a possible PHEL trojan.

Any thoughts?


See what process keeps opening sockets?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




-- 
Best regards,


Julian Dragut
www.networkmanager.org
If you knew that you wouldn't fall, how far would you have gone?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

worm? Brian Loe (Feb 01)
- Re: worm? Paul D. Robertson (Feb 01)
  - Re: worm? Francois Yang (Feb 01)
  - Re: worm? Julian M. Dragut (Feb 01)
- Re: worm? Paul Melson (Feb 01)
  - Re: worm? Brian Loe (Feb 01)
    - Re: worm? Paul D. Robertson (Feb 01)
    - Re: worm? Steven M. Bellovin (Feb 02)
    - Re: worm? Brian Loe (Feb 02)
    - Re: worm? Chris Myers (Feb 04)