NAVIGATION
CATEGORIES
REFERRENCE
LINKS
worm?
7 answers - 511 bytes -
of our support technician's machines is attempting to connect to
random IP addresses on port 25 - in a pretty needy fashion. He says
he's scanned the box with the latest updates from McAffee and it
hasn't found anything.
We discovered it because one of my basic (meaning I got it off the
'Net) rules for SEC flagged it as a possible PHEL trojan.
Any thoughts?
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.comNo.1 | | 1036 bytes |
| 
You could use FakeDNS and MailPot to maybe capture what happens after
the connection is created. here is the link to the tools. I haven't
used them, but I know they can be used for things like this.
2/1/07, Paul D. Robertson <paul (AT) compuwar (DOT) netwrote:
Thu, 1 Feb 2007, Brian Loe wrote:
of our support technician's machines is attempting to connect to
random IP addresses on port 25 - in a pretty needy fashion. He says
he's scanned the box with the latest updates from McAffee and it
hasn't found anything.
We discovered it because one of my basic (meaning I got it off the
'Net) rules for SEC flagged it as a possible PHEL trojan.
Any thoughts?
See what process keeps opening sockets?
Paul
Paul D. Robertson "My statements in this message are personal opinions
paul (AT) compuwar (DOT) net which may have no basis whatsoever in fact."
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.comNo.2 | | 922 bytes |
| Phel
downloads and executes Coreflood
which doesn't sound like your problem.
2/1/07, Paul D. Robertson <paul (AT) compuwar (DOT) netwrote:
Thu, 1 Feb 2007, Brian Loe wrote:
of our support technician's machines is attempting to connect to
random IP addresses on port 25 - in a pretty needy fashion. He says
he's scanned the box with the latest updates from McAffee and it
hasn't found anything.
We discovered it because one of my basic (meaning I got it off the
'Net) rules for SEC flagged it as a possible PHEL trojan.
Any thoughts?
See what process keeps opening sockets?
Paul
Paul D. Robertson "My statements in this message are personal opinions
paul (AT) compuwar (DOT) net which may have no basis whatsoever in fact."
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.comNo.3 | | 922 bytes |
| Phel
downloads and executes Coreflood
which doesn't sound like your problem.
2/1/07, Paul D. Robertson <paul (AT) compuwar (DOT) netwrote:
Thu, 1 Feb 2007, Brian Loe wrote:
of our support technician's machines is attempting to connect to
random IP addresses on port 25 - in a pretty needy fashion. He says
he's scanned the box with the latest updates from McAffee and it
hasn't found anything.
We discovered it because one of my basic (meaning I got it off the
'Net) rules for SEC flagged it as a possible PHEL trojan.
Any thoughts?
See what process keeps opening sockets?
Paul
Paul D. Robertson "My statements in this message are personal opinions
paul (AT) compuwar (DOT) net which may have no basis whatsoever in fact."
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.comNo.4 | | 741 bytes |
| of our support technician's machines is attempting to connect to
random IP addresses on port 25 - in
a pretty needy fashion. He says he's scanned the box with the latest
updates from McAffee and it hasn't
found anything.
We discovered it because one of my basic (meaning I got it off the
'Net) rules for SEC flagged it as a possible PHEL trojan.
Any thoughts?
I think your technician needs to try booting from trusted media and using
more than one type of scanner. The only time we've ever had outbound SMTP
sweeps from a Windows workstation it was botted.
PaulM
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.comNo.5 | | 701 bytes |
| 2/1/07, Paul Melson <pmelson (AT) gmail (DOT) comwrote:
I think your technician needs to try booting from trusted media and using
more than one type of scanner. The only time we've ever had outbound SMTP
sweeps from a Windows workstation it was botted.
PaulM
This will serve as a response to everyone who responded - some
excellent suggestions that I will certainly have him follow-up on, as
best as my position allows. :)
Fortunately we have managed to configure enough security that we
disallow outgoing connections to port 25.
Thanks!
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.comNo.6 | | 559 bytes |
| Thu, 1 Feb 2007 18:17:54 -0500 (EST)
"Paul D. Robertson" <paul (AT) compuwar (DOT) netwrote:
Thu, 1 Feb 2007, Brian Loe wrote:
Fortunately we have managed to configure enough security that we
disallow outgoing connections to port 25.
Hopefully tcp/6667 as well.
use something like NetFlow to find out what other connections are
coming from/going to that machine.
Bellovin, http://www.cs.columbia.edu/~smb
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.comNo.7 | | 388 bytes |
| 2/2/07, Steven M. Bellovin <smb (AT) cs (DOT) columbia.eduwrote:
use something like NetFlow to find out what other connections are
coming from/going to that machine.
--
In the process of trying to get this to work now - haven't yet, but
not giving up.
firewall-wizards mailing list
firewall-wizards (AT) listserv (DOT) icsalabs.com
QUESTION ON "Security"
- Security policy language
- php web portail
- GTK vulnerability
- umount crash and xterm (kind of) information leak!
- GTK vulnerability
- Tracing Threatening Email to an IP Address
- Proxypot
- Next Generation of Browsers
- Next Generation of Browsers
- Next Generation of Browsers
- strange behavior on Cisco 2801
- Mail scanner
- (Psexec on *NIX)
- Testing the user community
- Erasing private files from Windows XP.
- DNS poisoning or ?
- stompy the session stomper - tool availability
- Notebook policy (need advice)
- Remove all admin->root authorization prompts from OSX
- Security policy language