Security Incidents mailing list archives
Unidentified Trojan?
From: rginski () CO PINELLAS FL US (Richard Ginski)
Date: Thu, 18 May 2000 11:54:35 -0400
We have been monitoring some strange activity regarding a possible trojan on some of our systems. Unfortunately, this explanation has to be long, in order to paint the whole picture: 1) We first noticed that there was a problem when we noticed that two of our INTERNAL DNS servers appeared to be affected by DNS cache poisoning. It was stumbled on accidentally when someone entered a typo in a URL (ommitting a ":" when specifying a port number to one of our intranet sites) and was re-directed to a porn site: 216.65.124.73 (internalmachine.domain&portnumber). We figured it was cache poisoning because I could not fathom that the DNS servers would "learn" a host address for which there are no root servers for. 2) I checked our firewall logs as to who may have also (involuntarily) been connecting to this IP address (216.65.124.73) and found over 25 machines trying to connect to this site using different port numbers (not HTTP). First, the machines used ping (we don't allow outbound ping), then used various ports. Finally, the machines just tried to connect to this site using CIFS. It appears that once the machines are turned on, the "trojan" activity would begin. We tried to narrow down what could be causing this (activity went on for two days) then the activity ceased. Anti-virus software has always been installed on these machines (Inoculan) and we manually scanned one of the machines just to make sure the real time scanner did not miss anything. Nothing was found. The dates for which this occurred were 4/26 and 4/27. During those two days were able to restart/login to these machines and watch the activity a sniffer as we tried to determine the culprit. 3) We felt we had taken a number of precautions to prevent any further damage, including, notification when any more attempts were made to connect to the IP address 216.65.124.73. 4) Well, it started happening again on Tuesday of this week (5/16) and continued till yesterday (5/17). It appears that now the "destination port of choice" is TCP port 524 to the same IP address, for which I can not identify for any type of service. Approximately, 25 machines (different machines than the machines before, on different network segments) were affected. Unlike before, we could not reboot/login to these machines and cause them to make additional connection attempts which seemed to stimulate the activity before. 5) Today (5/18), no connect attempts were made to 216.65.124.73. However, doing a search on destination port 524 revealed that machines are now trying to connect to some of our HTTP servers in our DMZ. All of the machines affected are Windows based (95/98 and NT). To the best of our knowledge, all attempts to connect to this outside address have failed due to our firewall. Has anyone had any experience with this behavior? Can anyone identify TCP port 524? Any input would be greatly appreciated!
Current thread:
- Unidentified Trojan? Richard Ginski (May 18)
- Unidentified Trojan? -- Hope this helps James Wilson (May 19)
- price.doc.exe illu5i0n () HUSHMAIL COM (May 19)
- Re: price.doc.exe barry.net (May 22)
- Portscan X.Y.Z.100 - X.Y.Z.254, various ports Jens Hektor (May 20)
- Two scans (Klogin and a trojan?) Jose Nazario (May 21)
- Know Your Enemy: A Forensics Analysis Lance Spitzner (May 21)
- <Possible follow-ups>
- Re: Unidentified Trojan? Elliot Perrin (May 18)
- Re: Unidentified Trojan? Bill Royds (May 18)
- Unidentified Trojan? Richard Ginski (May 19)