Archive - Re: [Oz-ISP] weird trojan/worm traffic

All Archives / aussie-isp / 2005-02	<<< Date >>>
Permanent Link

Date: Tue, 01 Feb 2005 20:08:51 +1000 From: Dallas To: Daniel O'Callaghan, aussie-isp Message-Id: <1107252531.5760.10.camel@terra> In-Reply-To: <41FF02B2.70501@clari.net.au> References: <41FF02B2.70501@clari.net.au> Subject: Re: [Oz-ISP] weird trojan/worm traffic	Followups: <41FF5F7E.6040305@clari.net.au>

I have no real proof to back it up but my money is that this traffic is your average im/irc/p2p session. Now depending on what you call 'lots of rogue traffic', I say this is your regular transfer connection, typically broadband connections on high (out of the way) ports, tcp/udp transfers of of random duration. You can point the finger at MSN, DCC, skype and/or bitorrent. I reject the idea that this is trojan/worm related for these offensive programs usually stick to close subnets when communicating. da!!as On Tue, 2005-02-01 at 14:16, Daniel O'Callaghan wrote: > Hi, > > A customer with many XP machines is seeing lots of rogue traffic to/from > his site. He has a firewall which I believe is reasonably configured. > The traffic is originating on the inside and seems to start with > connections to port 80 to seemingly random IPs which are all apparenetly > broadband IPs around the globe. > The connections then become both tcp and udp traffic on the same remote > port. > > eg > 14:39:11.386572 67.8.99.127.42554 > 203.99.99.99.55199: [udp sum ok] udp > 35 (ttl 106, id 1830, len 63) > 14:39:11.490260 67.8.99.127.42554 > 203.99.99.99.54555: . [tcp sum ok] > 83:83(0) ack 28 win 65078 (DF) (ttl 106, id 1834, len 40) > > 127.99.8.67.IN-ADDR.ARPA domain name pointer 127-99.8-67.tampabay.rr.com > > Inspecting the contents tcp/udp packets by eye indicates binary data. > > Nortons and McAfee can't find anything on these affected machines. > > Does anyone have any ideas? > > Thanks, > > Danny > ---- > email "unsubscribe aussie-isp" to m a j o r d o m o @ a u s s i e . n e t to be removed. -- dallas <d a l l a s @ q u i c k s p r i n t . c o m . a u Quicksprint Internet Solutions ---- email "unsubscribe aussie-isp" to m a j o r d o m o @ a u s s i e . n e t to be removed.

<<< Date >>>
This page was automatically generated, based on a complete record of postings made to the nominated list. Copyright issues, blame or gratitude belongs to the entity that wrote the content.