Security Incidents mailing list archives
Unidentified Trojan?
From: rginski () CO PINELLAS FL US (Richard Ginski)
Date: Fri, 19 May 2000 11:35:07 -0400
First of all, I would like to thank all who have responded/assisted regarding this problem. It's nice to know I am not alone in "the struggle". Port 524 is NCP is used in Netware (IP implementations). I am trying to keep this in mind while also considering that numerous other ports have been attempted in connecting to 216.65.124.73 including ping and cifs. These connection attempts do not happen all of the time (happened this week then about 5 weeks ago). But when they do happen, it seems to be stimulated by a user powering up their machine and logging in. Also, I'm keeping in mind, that we recently had a DNS cache poisoning incident which redirected us to....you guessed it: 216.65.124.73 (porn site). We received many suggestions and will be pursuing many of them: 1) Contact the owner/ISP of the address space involved. 2) Run a personal firewall, such as Zone Alarm, on the machines (with suspected trojan) to identify processes which are trying to connect to the address 216.65.124.73. 3) Run MD5 checks on the affected machines (with suspected trojan). 4) Check the BIND versions of our internal DNS servers
Current thread:
- Unidentified Trojan? Richard Ginski (May 18)
- Unidentified Trojan? -- Hope this helps James Wilson (May 19)
- price.doc.exe illu5i0n () HUSHMAIL COM (May 19)
- Re: price.doc.exe barry.net (May 22)
- Portscan X.Y.Z.100 - X.Y.Z.254, various ports Jens Hektor (May 20)
- Two scans (Klogin and a trojan?) Jose Nazario (May 21)
- Know Your Enemy: A Forensics Analysis Lance Spitzner (May 21)
- <Possible follow-ups>
- Re: Unidentified Trojan? Elliot Perrin (May 18)
- Re: Unidentified Trojan? Bill Royds (May 18)
- Unidentified Trojan? Richard Ginski (May 19)