SYN_send- Attack

[lie_nux]

hi;
I have a mysterious problem in one of the windows 2000 server. when i use "netstat -a" i could see LOT of SYN_SEND packets

TCP 192.168.20.101:4632 192.168.234.54:80 SYN_SENT
TCP 192.168.20.101:4633 192.146.240.220:80 SYN_SENT
TCP 192.168.20.101:4634 192.141.155.248:80 SYN_SENT
TCP 192.168.20.101:4635 192.168.247.90:80 SYN_SENT
TCP 192.168.20.101:4726 192.66.192.232:80 SYN_SENT
TCP 192.168.20.101:4727 190.111.102.198:80 SYN_SENT
TCP 192.168.20.101:4728 192.212.97.6:80 SYN_SENT
TCP 192.168.20.101:4729 84.104.50.162:80 SYN_SENT
.........

its generated continously... to some random IP's(which is not at all in our network) and only for port 80

but all this packets are blocked in my firewall. is this some time of attack?. Please help me. I have an IIS server and Jrun running on that server.

Thank you

[tonybradley]

If I read your stuff right, these packets are being sent from your server and not being received by your server.

If that is the case it would seem to me more like your system has some sort of Trojan or infection rather than it being attacked.

Do you know the window size of the TCP pakcets? Maybe your server has some version of the Stumbler Trojan on it? (See this thread )

Provide more details if I am off base and I am sure someone can shed some light on what is going on .

[CraZy_AhmaD]

yup your server might be infected by a trojan or a worm like code red or the tk worm that search for another iis servers to hack

[st1mpy]

hehehe i would bet that he is infected with some kind of bot irc trojan that is idling somewhere on irc ... and attacker is giving remote commands to it


plz check your winnt/system32 or thats default location but just scan yourself check registry in curent run see if its there ... or just run msconfig it would appier there i hope this info helped man

[ammo]

I'd bet against stumbler since stumbler, from what I gather/understand/observe from my logs, of it, to a random(?) but constant ip and port combo, which seems unique to every ip. In this case all packets are sent to port 80 for every ip...

I'd say it's more likely to be code red or a variant...

Ammo

[st1mpy]

eheh ok it could be that too just dc box off the net an do lil research ...

btw people how do you like my sig an avatar

[lie_nux]

At last I found. it was Trojan.VirtualRoot.

<THANK A LOT FOR YOUR HLEP>

[SirDice]

Originally posted here by lie_nux
At last I found. it was Trojan.VirtualRoot.

Ouch. This means you haven't used windows update and/or patched your server in a while as this was patched in 2001. You should also look for a file called root.exe in all your webdirectories. And double check the permissions on all your (virtual) webdirectories.

On second thought you're better off backing up all your important data and reinstall from scratch from original media. This is because if you where vulnerable to this you were probably vulnerable to alot more. Chances are some warez/script kiddie already owns your box. After the reinstall don't forget to install *all* the latest servicepacks and hotfixes!!