Warner,
just being interested... is this a Win2K environment?
and I suppose (between) the 13 servers mentioned are
198.41.0.4, 128.9.0.107, 192.33.4.1, 128.8.10.90...
If you answered 'yes' twice, it seems to be a W2K misconfiguration issue.
If you are interested in solving it, email me directly (as this is too
off-topic for the fw-list) and please provide some info about your
environment.
HTH,
Enno
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 19, 2001 8:04 PM
Subject: Is this a known Trojan?
> I've got an unknown process/program running from a workstation on my
> network. The symptom is that it continuously sends requests to the
nearest
> internal DNS server that causes the DNS server to issue ICMP Packets on
> Port 53 destined for Port 53 of 13 servers (always the same 13, randomly
> requested) that turn out to be defense installations, research sites and
> major educational institutions. My firewall blocks the outbound requests,
> but because of the continuous nature of the requests, my logs are getting
> filled rapidly. Another quirk is that whatever it is starts at the same
> time each hour (xx:45) and runs for about 35 minutes, then stops until the
> next xx:45. We're hunting it down now, but have seen this pop-up in
> different locations from time to time. It also appears to run very well
> unattended, as it runs around the clock. Trying to get some of my users
to
> keep their anti-virus up to date is like trying to get blood from the
> proverbial turnip! Any assistance would be greatly appreciated.
>
> Warner Watkins
> Information Security Specialist
> Coca-Cola Bottling Co. Consolidated
> Charlotte NC
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
