Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Suspicious Traffic being reported in FW logs

  1. #1
    Member
    Join Date
    Jan 2002
    Posts
    61

    Suspicious Traffic being reported in FW logs

    We have a Cisco ASA 5510 at our company. We have the logs being captured by a syslog deamon running on a server. We recently noticed some suspicious traffic that has occurred over the past month. It first happened on two seperate Sundays and then once during the week. The traffic is coming from one of our internal servers and traveling to two specific ip addresses over port 110. We scaned the server for virus and spyware and have not come up with anything as of yet. I contacted our ISP ( happens to be the same ISP as 64.156.4.191) and they said that the ip belongs to Computer Horizons Corp (http://www.computerhorizons.com/). I left a message with someone from their IT department and am awaiting a call back as we speak. I was just wondering if any of you guys have seen something like this before of knew of a way that I could investigate further?

    Help!!!

    - 192.168.8.13 is the internal interface of the FW
    - 192.168.8.12 is the internal server
    - xxx.xxx.185.142 is our outbound internet address.
    - 64.156.4.191 and 161.58.90.220 are the questionable ip addresses

    Here is a sample of the FW logs:


    2006-07-02 08:44:56 Local7.Info 192.168.8.13 Jul 02 2006 07:33:45: %ASA-6-302013: Built outbound TCP connection 8300517 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3109 (xxx.xxx.185.142/11310)
    2006-07-02 08:45:33 Local7.Info 192.168.8.13 Jul 02 2006 07:34:22: %ASA-6-302013: Built outbound TCP connection 8302470 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3112 (xxx.xxx.185.142/11342)
    2006-07-02 08:47:05 Local7.Info 192.168.8.13 Jul 02 2006 07:35:54: %ASA-6-302014: Teardown TCP connection 8300517 for outside:64.156.4.191/110 to inside:192.168.8.12/3109 duration 0:02:09 bytes 13655484 TCP FINs
    2006-07-02 08:48:56 Local7.Info 192.168.8.13 Jul 02 2006 07:37:45: %ASA-6-302014: Teardown TCP connection 8302470 for outside:64.156.4.191/110 to inside:192.168.8.12/3112 duration 0:03:22 bytes 23330812 TCP FINs
    2006-07-02 08:48:57 Local7.Info 192.168.8.13 Jul 02 2006 07:37:46: %ASA-6-302013: Built outbound TCP connection 8313035 for outside:161.58.90.220/110 (161.58.90.220/110) to inside:192.168.8.12/3126 (xxx.xxx.185.142/11489)
    2006-07-02 08:50:20 Local7.Info 192.168.8.13 Jul 02 2006 07:39:09: %ASA-6-302013: Built outbound TCP connection 8317179 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3128 (xxx.xxx.185.142/11548)
    2006-07-02 08:50:26 Local7.Info 192.168.8.13 Jul 02 2006 07:39:15: %ASA-6-302013: Built outbound TCP connection 8317457 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3130 (xxx.xxx.185.142/11551)
    2006-07-02 08:50:48 Local7.Info 192.168.8.13 Jul 02 2006 07:39:37: %ASA-6-302013: Built outbound TCP connection 8317903 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3132 (xxx.xxx.185.142/11559)
    2006-07-02 09:10:13 Local7.Info 192.168.8.13 Jul 02 2006 07:59:02: %ASA-6-302014: Teardown TCP connection 8317457 for outside:64.156.4.191/110 to inside:192.168.8.12/3130 duration 0:19:46 bytes 102856876 TCP FINs
    2006-07-02 09:11:10 Local7.Info 192.168.8.13 Jul 02 2006 07:59:59: %ASA-6-302014: Teardown TCP connection 8317903 for outside:64.156.4.191/110 to inside:192.168.8.12/3132 duration 0:20:22 bytes 102945072 TCP FINs
    2006-07-02 09:11:26 Local7.Info 192.168.8.13 Jul 02 2006 08:00:15: %ASA-6-302014: Teardown TCP connection 8317179 for outside:64.156.4.191/110 to inside:192.168.8.12/3128 duration 0:21:05 bytes 103025020 TCP FINs
    2006-07-02 09:12:48 Local7.Info 192.168.8.13 Jul 02 2006 08:01:37: %ASA-6-302014: Teardown TCP connection 8313035 for outside:161.58.90.220/110 to inside:192.168.8.12/3126 duration 0:23:51 bytes 103173072 TCP FINs
    2006-07-02 09:27:31 Local7.Info 192.168.8.13 Jul 02 2006 08:16:21: %ASA-6-302013: Built outbound TCP connection 8346510 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3166 (xxx.xxx.185.142/12229)
    2006-07-02 09:27:42 Local7.Info 192.168.8.13 Jul 02 2006 08:16:31: %ASA-6-302013: Built outbound TCP connection 8346643 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3168 (xxx.xxx.185.142/12235)
    2006-07-02 09:27:50 Local7.Info 192.168.8.13 Jul 02 2006 08:16:40: %ASA-6-302013: Built outbound TCP connection 8346743 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3170 (xxx.xxx.185.142/12241)
    2006-07-02 09:31:04 Local7.Info 192.168.8.13 Jul 02 2006 08:19:53: %ASA-6-302013: Built outbound TCP connection 8348927 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3186 (xxx.xxx.185.142/12318)
    2006-07-02 09:47:51 Local7.Info 192.168.8.13 Jul 02 2006 08:36:40: %ASA-6-302014: Teardown TCP connection 8346510 for outside:64.156.4.191/110 to inside:192.168.8.12/3166 duration 0:20:19 bytes 102825408 TCP FINs
    2006-07-02 09:48:51 Local7.Info 192.168.8.13 Jul 02 2006 08:37:41: %ASA-6-302014: Teardown TCP connection 8346643 for outside:64.156.4.191/110 to inside:192.168.8.12/3168 duration 0:21:09 bytes 102893008 TCP FINs
    2006-07-02 09:49:05 Local7.Info 192.168.8.13 Jul 02 2006 08:37:55: %ASA-6-302014: Teardown TCP connection 8346743 for outside:64.156.4.191/110 to inside:192.168.8.12/3170 duration 0:21:14 bytes 102907940 TCP FINs
    2006-07-02 09:51:14 Local7.Info 192.168.8.13 Jul 02 2006 08:40:03: %ASA-6-302014: Teardown TCP connection 8348927 for outside:64.156.4.191/110 to inside:192.168.8.12/3186 duration 0:20:10 bytes 102903653 TCP FINs
    2006-07-02 09:53:40 Local7.Info 192.168.8.13 Jul 02 2006 08:42:30: %ASA-6-302013: Built outbound TCP connection 8368454 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3204 (xxx.xxx.185.142/12783)
    2006-07-02 09:54:11 Local7.Info 192.168.8.13 Jul 02 2006 08:43:01: %ASA-6-302013: Built outbound TCP connection 8368953 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3206 (xxx.xxx.185.142/12790)
    2006-07-02 09:54:17 Local7.Info 192.168.8.13 Jul 02 2006 08:43:06: %ASA-6-302013: Built outbound TCP connection 8369009 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3208 (xxx.xxx.185.142/12792)
    2006-07-02 09:54:23 Local7.Info 192.168.8.13 Jul 02 2006 08:43:13: %ASA-6-302013: Built outbound TCP connection 8369086 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3210 (xxx.xxx.185.142/12794)
    2006-07-02 09:56:18 Local7.Info 192.168.8.13 Jul 02 2006 08:45:08: %ASA-6-302013: Built outbound TCP connection 8370600 for outside:161.58.90.220/110 (161.58.90.220/110) to inside:192.168.8.12/3213 (xxx.xxx.185.142/12827)
    2006-07-02 10:06:47 Local7.Info 192.168.8.13 Jul 02 2006 08:55:37: %ASA-6-302014: Teardown TCP connection 8369086 for outside:64.156.4.191/110 to inside:192.168.8.12/3210 duration 0:12:24 bytes 52066680 TCP FINs
    2006-07-02 10:16:04 Local7.Info 192.168.8.13 Jul 02 2006 09:04:54: %ASA-6-302014: Teardown TCP connection 8368454 for outside:64.156.4.191/110 to inside:192.168.8.12/3204 duration 0:22:24 bytes 103023376 TCP FINs
    2006-07-02 10:16:25 Local7.Info 192.168.8.13 Jul 02 2006 09:05:15: %ASA-6-302014: Teardown TCP connection 8369009 for outside:64.156.4.191/110 to inside:192.168.8.12/3208 duration 0:22:09 bytes 102851452 TCP FINs
    2006-07-02 10:16:35 Local7.Info 192.168.8.13 Jul 02 2006 09:05:25: %ASA-6-302014: Teardown TCP connection 8368953 for outside:64.156.4.191/110 to inside:192.168.8.12/3206 duration 0:22:23 bytes 102895516 TCP FINs
    2006-07-02 10:19:56 Local7.Info 192.168.8.13 Jul 02 2006 09:08:46: %ASA-6-302014: Teardown TCP connection 8370600 for outside:161.58.90.220/110 to inside:192.168.8.12/3213 duration 0:23:38 bytes 103065860 TCP FINs
    2006-07-02 10:46:51 Local7.Info 192.168.8.13 Jul 02 2006 09:35:41: %ASA-6-302013: Built outbound TCP connection 8419169 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3278 (xxx.xxx.185.142/15496)
    2006-07-02 10:46:57 Local7.Info 192.168.8.13 Jul 02 2006 09:35:47: %ASA-6-302013: Built outbound TCP connection 8419227 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3281 (xxx.xxx.185.142/15499)
    2006-07-02 10:47:03 Local7.Info 192.168.8.13 Jul 02 2006 09:35:53: %ASA-6-302013: Built outbound TCP connection 8419310 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3283 (xxx.xxx.185.142/15502)
    2006-07-02 10:47:08 Local7.Info 192.168.8.13 Jul 02 2006 09:35:58: %ASA-6-302013: Built outbound TCP connection 8419411 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3285 (xxx.xxx.185.142/15508)
    2006-07-02 11:03:29 Local7.Info 192.168.8.13 Jul 02 2006 09:52:19: %ASA-6-302013: Built outbound TCP connection 8433587 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3330 (xxx.xxx.185.142/16617)
    2006-07-02 11:09:18 Local7.Info 192.168.8.13 Jul 02 2006 09:58:08: %ASA-6-302014: Teardown TCP connection 8419169 for outside:64.156.4.191/110 to inside:192.168.8.12/3278 duration 0:22:27 bytes 102897068 TCP FINs
    2006-07-02 11:09:22 Local7.Info 192.168.8.13 Jul 02 2006 09:58:12: %ASA-6-302014: Teardown TCP connection 8419411 for outside:64.156.4.191/110 to inside:192.168.8.12/3285 duration 0:22:14 bytes 102872432 TCP FINs
    2006-07-02 11:09:40 Local7.Info 192.168.8.13 Jul 02 2006 09:58:30: %ASA-6-302014: Teardown TCP connection 8433587 for outside:64.156.4.191/110 to inside:192.168.8.12/3330 duration 0:06:11 bytes 23327452 TCP FINs
    2006-07-02 11:09:41 Local7.Info 192.168.8.13 Jul 02 2006 09:58:31: %ASA-6-302014: Teardown TCP connection 8419310 for outside:64.156.4.191/110 to inside:192.168.8.12/3283 duration 0:22:38 bytes 102979740 TCP FINs
    2006-07-02 11:09:43 Local7.Info 192.168.8.13 Jul 02 2006 09:58:33: %ASA-6-302014: Teardown TCP connection 8419227 for outside:64.156.4.191/110 to inside:192.168.8.12/3281 duration 0:22:45 bytes 102876672 TCP FINs
    2006-07-02 11:10:02 Local7.Info 192.168.8.13 Jul 02 2006 09:58:53: %ASA-6-302013: Built outbound TCP connection 8440516 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3358 (xxx.xxx.185.142/16866)
    2006-07-02 11:10:07 Local7.Info 192.168.8.13 Jul 02 2006 09:58:57: %ASA-6-302013: Built outbound TCP connection 8440569 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3360 (xxx.xxx.185.142/16870)
    2006-07-02 11:10:13 Local7.Info 192.168.8.13 Jul 02 2006 09:59:04: %ASA-6-302013: Built outbound TCP connection 8440651 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3362 (xxx.xxx.185.142/16875)
    2006-07-02 11:10:20 Local7.Info 192.168.8.13 Jul 02 2006 09:59:10: %ASA-6-302013: Built outbound TCP connection 8440737 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3364 (xxx.xxx.185.142/16882)
    2006-07-02 11:31:14 Local7.Info 192.168.8.13 Jul 02 2006 10:20:05: %ASA-6-302014: Teardown TCP connection 8440569 for outside:64.156.4.191/110 to inside:192.168.8.12/3360 duration 0:21:07 bytes 102833428 TCP FINs
    2006-07-02 11:31:24 Local7.Info 192.168.8.13 Jul 02 2006 10:20:14: %ASA-6-302014: Teardown TCP connection 8440516 for outside:64.156.4.191/110 to inside:192.168.8.12/3358 duration 0:21:21 bytes 102784644 TCP FINs
    2006-07-02 11:31:42 Local7.Info 192.168.8.13 Jul 02 2006 10:20:32: %ASA-6-302014: Teardown TCP connection 8440737 for outside:64.156.4.191/110 to inside:192.168.8.12/3364 duration 0:21:22 bytes 102817780 TCP FINs
    2006-07-02 11:31:48 Local7.Info 192.168.8.13 Jul 02 2006 10:20:38: %ASA-6-302014: Teardown TCP connection 8440651 for outside:64.156.4.191/110 to inside:192.168.8.12/3362 duration 0:21:34 bytes 102836200 TCP FINs
    2006-07-02 11:32:22 Local7.Info 192.168.8.13 Jul 02 2006 10:21:12: %ASA-6-302013: Built outbound TCP connection 8456082 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3391 (xxx.xxx.185.142/17696)
    2006-07-02 11:32:30 Local7.Info 192.168.8.13 Jul 02 2006 10:21:20: %ASA-6-302013: Built outbound TCP connection 8456176 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3393 (xxx.xxx.185.142/17698)
    2006-07-02 11:32:35 Local7.Info 192.168.8.13 Jul 02 2006 10:21:26: %ASA-6-302013: Built outbound TCP connection 8456235 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3395 (xxx.xxx.185.142/17702)
    2006-07-02 11:44:37 Local7.Info 192.168.8.13 Jul 02 2006 10:33:28: %ASA-6-302014: Teardown TCP connection 8456235 for outside:64.156.4.191/110 to inside:192.168.8.12/3395 duration 0:12:01 bytes 72339984 TCP FINs
    2006-07-02 11:49:12 Local7.Info 192.168.8.13 Jul 02 2006 10:38:02: %ASA-6-302014: Teardown TCP connection 8456082 for outside:64.156.4.191/110 to inside:192.168.8.12/3391 duration 0:16:50 bytes 102820232 TCP FINs
    2006-07-02 11:49:15 Local7.Info 192.168.8.13 Jul 02 2006 10:38:05: %ASA-6-302014: Teardown TCP connection 8456176 for outside:64.156.4.191/110 to inside:192.168.8.12/3393 duration 0:16:44 bytes 102862452 TCP FINs

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    A couple of thoughts here. Computerhorizons.com has a few subsidiaries: management services, training services. I've dealt with software that had built-in email capabilities (which is your port 110), so maybe there's a new app or two on your network that's receiving email now and then. The questionable ip addresses belong to Level3 and NTT respectively, both reputable outfits. Maybe you can run something like TCPview on your server that would catch the offending app in action (although TCPview doesn't have logging from what I can gather). Check for other new software, something besides spyware or viruses.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Are you sure nobody is running a POP (Post Office Protocol (email) ) client inside your network or from those specific servers? All the ports on your server side are higher order ephemeral ports (and increase in value, sometimes in the near neighborhood, ie, like a client side increasing the source port if it was trying to make a connection and failed) and it is always destined for tcp/110, which is POP.

    I know it says from 'outside' but I have seen it be a rather common problem, especially with very busy firewalls, that they sometimes will lose track of a session's state and start dropping reply traffic...haven't necessarily seen it per-say in the PIX/ASA world, but have seen it happen, so it wouldn't suprise me if that were the case here...

    If this traffic is fairly consistent, Ie, keeps happening during day or what not, you might could set up a debug packet on the ASA (there is a newer command to use, but it has escaped my memory at the moment) or you could setup a quick packet capture on the server and see if you can't identify the source/content of the traffic...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Member
    Join Date
    Jan 2002
    Posts
    61
    Yes althought I still suspicious of this traffic I am relieved that those ips didn't come back belonging to univerisity of bejing or something like that.

    So both of you guys pretty much agree that some sort of packet capture is the next step to investigate. That is easier said than done because I do not have a specific tool to notify me when the traffic is occurring. This internet activity get reported on a montly basis in a monthly status report. Even if I did test daily for the suspicious traffic it would purely be coincidental to catch it in the act. Thoughts? Any way to setup a notificiation if that traffic occurs?

    Thanks

    -Trav

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Gixxer
    Even if I did test daily for the suspicious traffic it would purely be coincidental to catch it in the act. Thoughts?
    Setup a sniffer, like ethereal, and use it's filter. Set it up so it only captures traffic to/from those specific IP addresses and ports. Let it sit there for a day and have a look afterwards.
    Any way to setup a notificiation if that traffic occurs?
    You could also setup snort with just one or two rules detecting this traffic.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Member
    Join Date
    Jan 2002
    Posts
    61
    OK etheral sounds good, im on it. I also wrote a little vbs script that I have scheduled to run frequently on the server to do a netstat -a and grep the results ( "find" in the Windows envir ) for either of those suspicious ip addresses. It will send me an alert when those addresses are detected. I'll let you guys know what I find, im sure I will need help when I get some more data.

    Thanks

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    Could it be something as simple as a misconfigured email client? Is there any software from computer horizons on that server? Does your server host email?

  8. #8
    Member
    Join Date
    Jan 2002
    Posts
    61
    This server is a application server that houses mostly engineering apps. It does not host email of any kind.

    OK a little update on this one: A normal virus scan did not detect any viruses and a spyware check only came up with a few (4) tracking cookies. However this evening, I took the server offline and did a virus scan in safe mode from the command prompt. It is still scanning but already found 5 infected files in the c:\winnt\system32 dir. Two different viruses Backdoor-CPX and Backdoor-CKB. Both trojans.....

    I hate to sound nieve but do you think this was what was causing the suspicious traffic? What the hell do I do now? How do I know what type of data was transfered out of the company?

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    Well I wouldn't assume those specific virii were causing the traffic. However, they are an indication that you need to dig deeper into what else is on the box.

  10. #10
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    BackDoor-CKB

    This is a remote access trojan.

    When run, this trojan drops PCClient.dll to the windows directory, typically:

    C:\Windows\PCClient.dll

    Then it adds the following registry entry.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Policies\Explorer\Run system32 = (File path)

    Then this trojan injects the dll in to the process of “IExplorer.exe”.

    This dll attempts to query a remote DNS server with "7oo.meibu.com". Then it makes http connections to the site and sends hardware information including the computer name, CPU, memory status, and drive information. This trojan also waits for commands from the remote site.
    BackDoor-CPX

    This detection is for a remote access trojan written in MSVC. There are multiple versions of this trojan, so users are recommended to use the latest combination of engine/DATs for optimal detection.

    The description below is specific to one version of this trojan - details such as filenames/paths, Registry key names may vary for other versions.

    Installation

    Upon execution, the server component of this trojan installs a DLL into the %SysDir% directory as IPSEC.DLL.
    (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

    For example:

    C:\WINDOWS\SYSTEM32\IPSEC.DLL

    The following Registry keys are added to hook system startup:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\SvcHost "PolicyAgent" = PolicyAgent

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\PolicyAgent\Parameters "ServiceDll" = %SystemRoot%\system32\ipsec.dll

    The following keys are modified:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    \Services\PolicyAgent "ImagePath"

    from:

    %SystemRoot%\System32\lsass.exe

    to:

    %SystemRoot%\System32\svchost.exe -k PolicyAgent

    And:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent "DependOnService"

    from:

    52, 50, 43, 53, 53, 00, 54, 63, 70, 69, 70, 00, 49, 50, 53, 65, 63, 00, 00

    to:

    (blank)

    Remote Access Functionality

    The client component offers many functions to the hacker, including:

    * List TCP/IP interface info.
    * List active processes.
    * Kill a specified process.
    * List dlls of a specified process.
    * List system info.
    * Shutdown/reboot/power off system.
    * Logoff current user's session.
    * Install Terminal Service.
    * Clean system log.
    * List/start/stop/query services.
    * Download from http/ftp.
    * Port redirect.
    * Enumerate all accounts.
    * Run process as Local_System privilege.
    * Spawn command shell
    * List/kill TCP connections.
    * Enter a console registry editor.

    http://vil.nai.com/vil/content/v_129151.htm

    http://vil.nai.com/vil/content/v_132732.htm

    Doesn't look nice, from the information you can see here, these two Trojans can do some damage.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •