Security Incidents mailing list archives
Re: Anyone seen this?
From: "Bryan D. Payne" <bdpayne () cs umd edu>
Date: Tue, 27 Aug 2002 13:53:05 -0400 (EDT)
Have you tried comparing MD5 checksums of the apache that you downloaded and a "known good" version? If the checksums fail, of course, you should contact the location that you downloaded the bad version from to let them know that they have a problem. Also, is Apache the only new / updated software on that machine? I'd agree that this looks rather suspect. -bryan On Mon, 26 Aug 2002, Gary R. Porter wrote:
A co-worker in the office loaded what he thought was a standard download of Apache and soon thereafter his machine started trying to reach a wide assortment of addresses on seemingly random ports that our firewall is not configured to let out, resulting in internal netprobes. Many of the addresses look suspicious. Has anyone seen this type of thing before? Aug 26 15:54:51 tcp (source IPADD) 2774 209.61.184.227 6346 Aug 26 15:54:51 tcp XX.XXX.XXX.XX 2766 CPE-144-137-30-210. 5605 Aug 26 15:54:51 tcp XX.XXX.XXX.XX 2767 usr1271-udd.blueyon 9613 Aug 26 15:54:52 tcp XX.XXX.XXX.XX 2768 161.45.178.190 7867 Aug 26 15:54:52 tcp XX.XXX.XXX.XX 2769 12-249-40-71.client 8386 Aug 26 15:54:53 tcp XX.XXX.XXX.XX 2770 N890P015.adsl.highw 6226 Aug 26 15:54:53 tcp XX.XXX.XXX.XX 2771 209-124-131-186.pep 4396 Aug 26 15:54:54 tcp XX.XXX.XXX.XX 2774 209.61.184.227 6346 Aug 26 15:54:54 tcp XX.XXX.XXX.XX 2772 0x503e2304.arcnxx12 8740 Aug 26 15:54:54 tcp XX.XXX.XXX.XX 2773 dyn-168-11.paonline 8922 Aug 26 15:54:56 tcp XX.XXX.XXX.XX 2775 209-124-131-186.pep 4396 Aug 26 15:54:57 tcp XX.XXX.XXX.XX 2776 226-232-234-66.tran 6840 Aug 26 15:54:58 tcp XX.XXX.XXX.XX 2775 209-124-131-186.pep 4396 Aug 26 15:54:59 tcp XX.XXX.XXX.XX 2776 226-232-234-66.tran 6840 Aug 26 15:55:00 tcp XX.XXX.XXX.XX 2774 209.61.184.227 6346 Aug 26 15:55:01 tcp XX.XXX.XXX.XX 2777 209.61.184.225 6346 Aug 26 15:55:02 tcp XX.XXX.XXX.XX 2778 0x503e2304.arcnxx12 8740 Aug 26 15:55:04 tcp XX.XXX.XXX.XX 2777 209.61.184.225 6346 Aug 26 15:55:04 tcp XX.XXX.XXX.XX 2775 209-124-131-186.pep 4396 Aug 26 15:55:05 tcp XX.XXX.XXX.XX 2778 0x503e2304.arcnxx12 8740 Aug 26 15:55:05 tcp XX.XXX.XXX.XX 2776 226-232-234-66.tran 6840 Aug 26 15:55:08 tcp XX.XXX.XXX.XX 2779 209-124-131-186.pep 4396 Aug 26 15:55:10 tcp XX.XXX.XXX.XX 2777 209.61.184.225 6346 Aug 26 15:55:10 tcp XX.XXX.XXX.XX 2780 226-232-234-66.tran 6840 Aug 26 15:55:11 tcp XX.XXX.XXX.XX 2779 209-124-131-186.pep 4396 Gary R. Porter Program Manager, CITS Mobile Training MATCOM Corporation 757-838-0212 (w) 757-897-5830 (m) gary.porter () matcomcorp com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Anyone seen this? Gary R. Porter (Aug 27)
- Re: Anyone seen this? Bryan D. Payne (Aug 27)