Here I explain the activity which I have noticed recently in our organization's webserver recently.

The apache webserver is running on Windows 2003 protected by Symantec AV Corporate Edition. The virus definitions updated till 20th June.

For the past several days outward packet transmission is quite high. The virus spotted were w32.toxbot making entries in the registry and detected as files dhcpclnt.exe and netddeclnt.exe in windows system folder.

Though the virus have been cleaned after tweaking the registry but outward packet transmission is still quite high. The result a user sitting in Australia complaining our ISP that a machine from his IP range trying to port scan his computer.

Really Netstat revealed that unknowingly to us a large no. of ports are opened from our machine (numbered beyond 1024) and trying to scan the internet.. yeah its true... the packets are being sent outwards randomly to IPs say xxx.xx.xxx.12 then xxx.xx.xxx.13 then xxx.xx.xxx.14 and so on Infinite times ... tying to open port EPMAP at the remote end machines. Syn-Sent to all those machines and waiting for reply.

Has the webserver become netzombie, trying to amass an army of vulnerable machines over the internet creating a storm of unwanted packets over the internet.

What may be the reason for it...'cauz no virus is detected by Symantec AV now..

Help from the experienced minds at Antionline is solicited..