Security Incidents mailing list archives
Re: Possible new trojan?
From: H C <keydet89 () yahoo com>
Date: Thu, 13 Sep 2001 10:20:59 -0700 (PDT)
Mike, I'd like to give you a couple of things to consider: 1. Did you perform a packet capture on the network? 2. Did you dump the process list from the machine during this activity? 3. What is the os of the target system (this would help myself and others recommend tools)? 4. Did you check the contents of the Run, RunServices, RunOnce Registry keys (if the target system is a MS platform)? How about startup directories for the currently logged on user? Or, if the system is Win98, the system.ini and win.ini files?
During a client security investigation, we encountered suspicious traffic from a client-machine, to which we can not identify the source, if this is a Trojan, or some sort of worm.
Again, what is the process list from the machine? For tools to use on NT/2K platforms, check out: http://www.securityfocus.com/focus/microsoft/2k/forensictools.html
The client machine had for three days been sending excessive requests to port 80, to two different IP-addresses. Both targets are 'high- profile', well known international companies. Each target has received over 100 000 connection attempts per day (24 hours). We can't see if the requests were valid HTTP requests, or if the client just connected to port 80, and then dropped the connection
Did you use a sniffer on the same segment? Tcpdump from Linux, Windump for Win32, snort for both?
An interesting thing is that the source port in each request, would start at 1025, increase by one to 5000, and then start over with source port 1025.
That should be fairly normal activity, actually. I'm not sure about rolling over specifically at 5000, but starting at a high port (ie, above 1024) is normal.
The client machine does have an irc client installed, and this is somewhat alarming.
How so? It might have served as the infection vector, but I don't necessarily see how the presence of just an irc client is "alarming".
However, the Trend Micro anti-virus software does not detect the virus, with the leates available patternfile (per 2001- 09-10).
Maybe it's not a trojan at all. With more info, I could help you more specifically. Please feel free to contact me at "keydet89 () yahoo com". I also teach a 2-day Incident Response Course for NT/2K admins. Carv __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible new trojan? Mike Blomgren (Sep 13)
- Re: Possible new trojan? H C (Sep 13)
- <Possible follow-ups>
- Re: Possible new trojan? Mike Blomgren (Sep 13)
- Re: Possible new trojan? Daniel Martin (Sep 17)
- RE: Possible new trojan? Ryan Hill (Sep 14)