Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Suspicious firewall logs
.

  • To: Incidents List <[EMAIL PROTECTED]>
  • Subject: Re: Suspicious firewall logs
  • From: "Jay D. Dyson" <[EMAIL PROTECTED]>
  • Date: Fri, 1 Aug 2003 12:03:11 -0700 (PDT)
  • In-reply-to: <[EMAIL PROTECTED]>
  • Organization: Treachery Unlimited - http://www.treachery.net/
  • References: <[EMAIL PROTECTED]>
  • Restrict: no-external-archive
.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 1 Aug 2003, Wong Wai Kit wrote:

> I had one incidents which is require for your help. My firewall keep
> prompting some traffiics from internal LAN IPs trying to access this
> group of destination IPs for "http" service
<snip of IP addresses>

> Actually, my question is why my internal LAN(few IPs) keep trying to
> access this group of destination IP for http service. My LAN if want to
> go out internet, it should go through our proxy first. It not suppose go
> out to external directly.

	While I don't have the make and model of the systems attempting to
reach the IPs you listed (all of which reside on the Cable & Wireless
netblock; do a whois -h whois.arin.net NET-208-128-0-0-1 for more data),
I'll wager that all of the boxes are running Windows and all have been
infected with a mail-based trojan via MS Outlook.

	The HTTPd service on the IPs you listed identify their service as
"Footprint Distributor V3.0."  Details on that are sketchy at best.  It'd
probably be a Good Thing(tm) to sniff the traffic from your LAN to the IPs
in question to determine what precisely is being requested.  The connect
attempts could be little more than a "come and get me" tap for all we know.

	Either way, you've got some work ahead.  Good luck.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - [EMAIL PROTECTED] ------<) |    = |-'
 `--' `--'  `- If war isn't the answer, what's the question? -'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE/KrlyNlg1oZSC9mkRAgafAJ90krgY4krwGdwECxi3UGusHPrixwCcC+km
1HzW/cnJsMIsuPtOCo3Mkgs=
=LLqN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.