-
July 5th, 2003, 11:38 AM
#1
Junior Member
SYN_SEND - Attack?
hi;
I have a mysterious problem in one of the windows 2000 server. when i use "netstat -a" i could see LOT of SYN_SEND packets
TCP 192.168.20.101:4632 192.168.234.54:80 SYN_SENT
TCP 192.168.20.101:4633 192.146.240.220:80 SYN_SENT
TCP 192.168.20.101:4634 192.141.155.248:80 SYN_SENT
TCP 192.168.20.101:4635 192.168.247.90:80 SYN_SENT
TCP 192.168.20.101:4726 192.66.192.232:80 SYN_SENT
TCP 192.168.20.101:4727 190.111.102.198:80 SYN_SENT
TCP 192.168.20.101:4728 192.212.97.6:80 SYN_SENT
TCP 192.168.20.101:4729 84.104.50.162:80 SYN_SENT
.........
its generated continously... to some random IP's(which is not at all in our network) and only for port 80
but all this packets are blocked in my firewall. is this some time of attack?. Please help me. I have an IIS server and Jrun running on that server.
Thank you
-
July 5th, 2003, 01:41 PM
#2
If I read your stuff right, these packets are being sent from your server and not being received by your server.
If that is the case it would seem to me more like your system has some sort of Trojan or infection rather than it being attacked.
Do you know the window size of the TCP pakcets? Maybe your server has some version of the Stumbler Trojan on it? (See this thread )
Provide more details if I am off base and I am sure someone can shed some light on what is going on .
-
July 5th, 2003, 06:32 PM
#3
Junior Member
yup your server might be infected by a trojan or a worm like code red or the tk worm that search for another iis servers to hack
-
July 5th, 2003, 07:27 PM
#4
heh
hehehe i would bet that he is infected with some kind of bot irc trojan that is idling somewhere on irc ... and attacker is giving remote commands to it
plz check your winnt/system32 or thats default location but just scan yourself check registry in curent run see if its there ... or just run msconfig it would appier there i hope this info helped man
Un Seen But Well Heard Of
-
July 5th, 2003, 07:32 PM
#5
I'd bet against stumbler since stumbler, from what I gather/understand/observe from my logs, of it, to a random(?) but constant ip and port combo, which seems unique to every ip. In this case all packets are sent to port 80 for every ip...
I'd say it's more likely to be code red or a variant...
Ammo
Credit travels up, blame travels down -- The Boss
-
July 5th, 2003, 07:47 PM
#6
heh
eheh ok it could be that too just dc box off the net an do lil research ...
btw people how do you like my sig an avatar
Un Seen But Well Heard Of
-
July 10th, 2003, 05:53 AM
#7
Junior Member
Thanx
At last I found. it was Trojan.VirtualRoot.
<THANK A LOT FOR YOUR HLEP>
-
July 10th, 2003, 12:01 PM
#8
Re: Thanx
Originally posted here by lie_nux
At last I found. it was Trojan.VirtualRoot.
Ouch. This means you haven't used windows update and/or patched your server in a while as this was patched in 2001. You should also look for a file called root.exe in all your webdirectories. And double check the permissions on all your (virtual) webdirectories.
On second thought you're better off backing up all your important data and reinstall from scratch from original media. This is because if you where vulnerable to this you were probably vulnerable to alot more. Chances are some warez/script kiddie already owns your box. After the reinstall don't forget to install *all* the latest servicepacks and hotfixes!!
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|