Before trying to figure out if your system is infected and looking for trojans and worms, look closer at the data. Two of the systems connected to are POP3 mail servers. Probably one for your ISP and one for your school/work place.
The rest are web servers and most are associated with Microsoft, some for web browsing and others for downloads (Microsoft Updates). Where you browsing late at night? Did you have a mail client running that was configured to periodically check you POP servers? PORT 110 -- POP3 Mail Servers ----------------------------- 24.71.223.43 mail.nb.shawcable.net 142.58.120.21 rm-rstar.sfu.ca (Simon Frasier University - in Canada) PORT 80 -- HTTP Web Servers --------------------------- 207.46.196.102 ??? (microsoft.com) 207.46.197.113 www.international.microsoft.com 207.46.235.150 msdownload.microsoft.com 207.46.235.162 msdownload.microsoft.com 207.68.184.62 c.msn.com 209.11.107.14 Digital Guardian (security company in NJ) Have you defined HOME_NET in snort.conf to your IP address so that snort knows what traffic is from your machine/net versus to your machine/net? Dave Goldsmith On Tue, 17 Sep 2002 00:36:13 -0700 Adrian Gheorghe <[EMAIL PROTECTED]> wrote: > I have tracked a weird activity on my external interface lately (few days) > I used "snort", and the portscan.log file shows the following activity: > > #tail portscan.log > > Sep 17 00:21:41 <my ip>:1489 -> 207.46.197.113:80 SYN ******S* > Sep 17 00:21:42 <my ip>:1501 -> 207.46.197.113:80 SYN ******S* > Sep 17 00:21:58 <my ip>:1502 -> 207.46.196.102:80 SYN ******S* > Sep 17 00:21:58 <my ip>:1503 -> 207.46.196.102:80 SYN ******S* > Sep 17 00:21:58 <my ip>:1504 -> 207.68.184.62:80 SYN ******S* > Sep 17 00:22:22 <my ip>:1505 -> 207.46.235.162:80 SYN ******S* > Sep 17 00:24:21 <my ip>:1507 -> 24.71.223.43:110 SYN ******S* > Sep 17 00:24:24 <my ip>:1511 -> 142.58.120.21:110 SYN ******S* > Sep 17 00:25:49 <my ip>:1514 -> 207.46.235.150:80 SYN ******S* > Sep 17 00:25:55 <my ip>:1516 -> 209.11.107.14:80 SYN ******S* > > I checked what processes are running on my machine, and there is nothing > that I think might be suspicious. > (I run bind9 on my internal interface, which has been configured to have no > access to the outside world)
