SYN_send- Attack
Results 1 to 8 of 8

Thread: SYN_send- Attack

  1. #1
    Junior Member
    Join Date
    Aug 2001
    Posts
    10

    Red face SYN_SEND - Attack?

    hi;
    I have a mysterious problem in one of the windows 2000 server. when i use "netstat -a" i could see LOT of SYN_SEND packets

    TCP 192.168.20.101:4632 192.168.234.54:80 SYN_SENT
    TCP 192.168.20.101:4633 192.146.240.220:80 SYN_SENT
    TCP 192.168.20.101:4634 192.141.155.248:80 SYN_SENT
    TCP 192.168.20.101:4635 192.168.247.90:80 SYN_SENT
    TCP 192.168.20.101:4726 192.66.192.232:80 SYN_SENT
    TCP 192.168.20.101:4727 190.111.102.198:80 SYN_SENT
    TCP 192.168.20.101:4728 192.212.97.6:80 SYN_SENT
    TCP 192.168.20.101:4729 84.104.50.162:80 SYN_SENT
    .........

    its generated continously... to some random IP's(which is not at all in our network) and only for port 80

    but all this packets are blocked in my firewall. is this some time of attack?. Please help me. I have an IIS server and Jrun running on that server.

    Thank you

  2. #2
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    If I read your stuff right, these packets are being sent from your server and not being received by your server.

    If that is the case it would seem to me more like your system has some sort of Trojan or infection rather than it being attacked.

    Do you know the window size of the TCP pakcets? Maybe your server has some version of the Stumbler Trojan on it? (See this thread )

    Provide more details if I am off base and I am sure someone can shed some light on what is going on .

  3. #3
    Junior Member
    Join Date
    Jun 2003
    Posts
    26
    yup your server might be infected by a trojan or a worm like code red or the tk worm that search for another iis servers to hack

  4. #4
    Senior Member st1mpy's Avatar
    Join Date
    Jun 2003
    Posts
    111

    heh

    hehehe i would bet that he is infected with some kind of bot irc trojan that is idling somewhere on irc ... and attacker is giving remote commands to it


    plz check your winnt/system32 or thats default location but just scan yourself check registry in curent run see if its there ... or just run msconfig it would appier there i hope this info helped man
    Un Seen But Well Heard Of

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    I'd bet against stumbler since stumbler, from what I gather/understand/observe from my logs, of it, to a random(?) but constant ip and port combo, which seems unique to every ip. In this case all packets are sent to port 80 for every ip...

    I'd say it's more likely to be code red or a variant...

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Senior Member st1mpy's Avatar
    Join Date
    Jun 2003
    Posts
    111

    heh

    eheh ok it could be that too just dc box off the net an do lil research ...

    btw people how do you like my sig an avatar
    Un Seen But Well Heard Of

  7. #7
    Junior Member
    Join Date
    Aug 2001
    Posts
    10

    Thanx

    At last I found. it was Trojan.VirtualRoot.

    <THANK A LOT FOR YOUR HLEP>

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: Thanx

    Originally posted here by lie_nux
    At last I found. it was Trojan.VirtualRoot.
    Ouch. This means you haven't used windows update and/or patched your server in a while as this was patched in 2001. You should also look for a file called root.exe in all your webdirectories. And double check the permissions on all your (virtual) webdirectories.

    On second thought you're better off backing up all your important data and reinstall from scratch from original media. This is because if you where vulnerable to this you were probably vulnerable to alot more. Chances are some warez/script kiddie already owns your box. After the reinstall don't forget to install *all* the latest servicepacks and hotfixes!!
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides