Strange network activity
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Strange network activity

  1. #1
    Junior Member
    Join Date
    Jan 2004

    Strange network activity


    Yesterday we noticed some strange traffic from some internal machines
    trying to contact Japan IP addresses on the port 54875 like 300 times a
    second. We left the office without worrying too much and we came back this
    morning to see that there was external Japan IP addresses which was
    querying internal machines for the RPC vulnerability.

    This kind of activity has now spread in various sites (worldwide) of our

    Here is a log sample from one of our router:


    This IP address resolves to

    Now, trying to connect to this ip address on the port 80 you get to the
    Department of Earth and Planetary Systems Science Graduate School of
    at Hiroshima University webpage ... trying to connect to on
    the port 6667 it gets to an IRC server: But the MOTD is
    stating this:
    *** Welcome to the ROXnet IRC Network
    Also, *** There are 41 users and 864 invisible on 1 servers.
    I did a /list and I get only two channels. On #R0S3s there are a couple of
    bots that doesn't look like something legitimate.

    That is kinda strange, isn't? Anyways, do any of you have an idea of what
    is going on? Which virus is it?



  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002

    That is an irc server.

    If its connecting to a IRC server, my first guess would be virus/trojan.
    There are 41 users and 864 invisible on 1 servers.
    Setting up zombies to launch further attacks? or, for a DDoS?

    Any chance you can show some captured traffic from one of those hosts?

    Any chance you can show us info on processes, ports, connections, etc. from one of the hosts connecting?
    Are the connections sucessful? Or, have you blocked them?

    That is kinda strange, isn't? Anyways, do any of you have an idea of what
    is going on? Which virus is it?
    Need a bit more info about the hosts. Have you scanned a host?

    Do you have updated AV on the host(s)?

    04/16/04 11:28:32 IP block
    Trying at ARIN
    Trying 133.41.133 at ARIN

    OrgName: Japan Network Information Center
    OrgID: JNIC
    Address: Kokusai-kougyou-Kanda Bldg 6F
    Address: 2-3-4 Uchikanda
    City: Chiyoda-ku
    StateProv: Tokyo
    PostalCode: 101-0047
    Country: JP

    NetRange: -
    NetName: JAPAN-INET
    NetHandle: NET-133-0-0-0-1
    NetType: Direct Allocation
    NameServer: A.DNS.JP
    NameServer: B.DNS.JP
    NameServer: C.DNS.JP
    NameServer: D.DNS.JP
    NameServer: E.DNS.JP
    NameServer: F.DNS.JP
    Comment: Japan Network Information Center(JPNIC) is an
    Comment: National internet registry of Japan. Please search
    Comment: for more information about this range.
    Comment: % whois -h ***.***.***.***/e
    Updated: 2003-08-05

    TechHandle: JN-ORG-ARIN
    TechName: Japan Network Information Center
    TechPhone: +81-3-5297-2311

    OrgTechHandle: JN-ORG-ARIN
    OrgTechName: Japan Network Information Center
    OrgTechPhone: +81-3-5297-2311

    # ARIN WHOIS database, last updated 2004-04-15 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    You may want to contact the hostmaster or webmaster
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    AO Part Timer
    Join Date
    Feb 2003
    You may want to contact the hostmaster or webmaster

    Your heart was talking, not your mind.
    -Tiger Shark

  4. #4
    Join Date
    Dec 2003
    do you have a firewall...anti virus..and/or anti trojan program?it looks like some university student tried to hack into your computers through some kind of trojan..however could be a virus too..why don't you just scan your computer for viruses using an up to date anti virus..and later with some anti trojan?if you don't have an anti virus that is up to date then you could scan your computer online..there are many free online scans available.If you want an anti trojan then check out this website out:
    i haven't tried any of their software but i heard somewhere that its good.

  5. #5
    Join Date
    Dec 2003
    i just came across this at symantec's website:
    could this be the trojan you're infected with?

  6. #6
    Junior Member
    Join Date
    Apr 2004
    scan for trojan. update ur anti virus & firewall.
    Nothing is Impossible

  7. #7
    Join Date
    Apr 2004
    Im not sure, but if this hacker is trying to hack using a trojan, then how would it try to connect 300 times a second? I think its a little deaper then simply updating software.
    I am the uber duck!!1
    Proxy Tools

  8. #8
    Join Date
    Feb 2004
    does your company use a proxy server to access the internet. i was thinking that maybe all those scans can be from a trogen/virus to scan the enire block of your network...

    just a thought.....

  9. #9
    Senior Member
    Join Date
    Nov 2001
    im sure that server in jp is owned as well. but right now i wouldn't worry about who just get those machine offline and cleaned.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #10
    Junior Member cybersamurai's Avatar
    Join Date
    Apr 2004
    At tha beach!
    if this was an attack(attempted or executed)i'd really like know how they pulled it off right under your nose(sorry to say). more info please
    see the sarcasim in my smile ????

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts