[gb-users] Something very fishy here!

Mon, 26 Jan 2004 17:19:59 -0800 

Is anyone else seeing the same type of traffic listed below?



The traffic implies one of the following:

1.                   Trojan/virus/worm

2.                   Hacked access using an internal system as waypoint

3.                   Internal hacker (employee or guest)

4.                   Portal vulnerability - netmeeting, IM...



If I did not know better, I would say this was Nimda traffic.



Strangely enough, the traffic has not returned. I have personally
scanned all systems, verified every system is current and checked the
logs - NOTHING.



I am fairly tightly locked down and have a three tiered AV solution. All
scans come up 100% clean; neither real-time, manual, nor online scans
show any infection(s) that would explain this. My anti-spyware software
finds nothing either.



With all internal systems checked and rechecked, the only other
possibility would be vulnerability at the firewall.



I had some RDP tunnels open, but have since closed them (no change).



Is anyone aware of ANY means of producing this traffic I may have
overlooked???



Thanks,



Danny



ALARM NO: 2

          DATE: Thu 2004-01-22 18:55:22 GMT

     INTERFACE: Protected (xl0)

INTERFACE TYPE: Protected

    ALARM TYPE: Possible spoof

     IP PACKET: TCP  [101.138.48.144/1707]-->[64.35.110.11/80]  l=0
f=0x2

                    [101.138.48.144/1707]-->[64.35.110.11/http]



DETAILED DESCRIPTION:

      Return interface for IP packet is different than arrival.



------------------------------------------------------------------------
-----



      ALARM NO: 3

          DATE: Thu 2004-01-22 18:55:22 GMT

     INTERFACE: Protected (xl0)

INTERFACE TYPE: Protected

    ALARM TYPE: Possible spoof

     IP PACKET: TCP  [1.210.252.124/1295]-->[62.140.213.144/80]  l=0
f=0x2

                    [1.210.252.124/1295]-->[web2.vnunet.com/http]



DETAILED DESCRIPTION:

      Return interface for IP packet is different than arrival.



------------------------------------------------------------------------
-----



      ALARM NO: 4

          DATE: Thu 2004-01-22 18:55:22 GMT

     INTERFACE: Protected (xl0)

INTERFACE TYPE: Protected

    ALARM TYPE: Possible spoof

     IP PACKET: TCP  [211.226.166.239/1033]-->[62.140.213.141/80]  l=0
f=0x2

                    [211.226.166.239/1033]-->[web1.vnunet.com/http]



DETAILED DESCRIPTION:

      Return interface for IP packet is different than arrival.



------------------------------------------------------------------------
-----



      ALARM NO: 5

          DATE: Thu 2004-01-22 18:55:22 GMT

     INTERFACE: Protected (xl0)

INTERFACE TYPE: Protected

    ALARM TYPE: Possible spoof

     IP PACKET: TCP  [211.226.166.239/1033]-->[62.140.213.144/80]  l=0
f=0x2

                    [211.226.166.239/1033]-->[web2.vnunet.com/http]



DETAILED DESCRIPTION:

      Return interface for IP packet is different than arrival.



------------------------------------------------------------------------
-----

------------------------------------------------------
To unsubscribe:           [EMAIL PROTECTED]
For additional commands:         [EMAIL PROTECTED]
Archive:  http://archives.gnatbox.com/gb-users/

Reply via email to