|
All Archives /
aussie-isp /
2005-02
|
<<< Date >>> | |
| Permanent Link | ||
|
Date: Tue, 01 Feb 2005 15:16:50 +1100
From: Daniel O'Callaghan To: MailList-Oz-ISP Message-Id: <41FF02B2.70501@clari.net.au> Subject: [Oz-ISP] weird trojan/worm traffic |
Followups: <1107252531.5760.10.camel@terra> |
|
Hi, A customer with many XP machines is seeing lots of rogue traffic to/from his site. He has a firewall which I believe is reasonably configured. The traffic is originating on the inside and seems to start with connections to port 80 to seemingly random IPs which are all apparenetly broadband IPs around the globe. The connections then become both tcp and udp traffic on the same remote port. eg 14:39:11.386572 67.8.99.127.42554 > 203.99.99.99.55199: [udp sum ok] udp 35 (ttl 106, id 1830, len 63) 14:39:11.490260 67.8.99.127.42554 > 203.99.99.99.54555: . [tcp sum ok] 83:83(0) ack 28 win 65078 (DF) (ttl 106, id 1834, len 40) 127.99.8.67.IN-ADDR.ARPA domain name pointer 127-99.8-67.tampabay.rr.com Inspecting the contents tcp/udp packets by eye indicates binary data. Nortons and McAfee can't find anything on these affected machines. Does anyone have any ideas? Thanks, Danny ---- email "unsubscribe aussie-isp" to m a j o r d o m o @ a u s s i e . n e t to be removed. |
|