Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1685 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A portscan trojan that persists after reloading with linux instead of Vista?

BAlfson
Something inside the network is doing portscans outside the network: 
2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="85.86.106.91" proto="17" length="61" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="57455" 

2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="69.243.15.69" proto="17" length="62" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="16774" 

2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="72.188.102.64" proto="17" length="63" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="59201"

This is an interesting situation...

The laptop at 10.x.x.111 seems to have had this problem since 4/24 when it was loaded with Vista.  The programmer erased and reloaded Vista twice, then, frustrated, erased the disk again and loaded it with linux.

When the IP on the laptop changes, the srcip changes to the new IP, but the srcmac always matches to the External Astaro interface and dstmac always matches to the Internal interface.

Anyone have any suggestions?

Cheers - Bob


This thread was automatically locked due to age.
Parents
  • 0
    The other interesting phenomenon concerns another laptop (yes, two devices that are heavily used "outside" of the protection of the Astaro).  About once a week, when this second laptop is connected via L2TP over IPsec, it portscans 255.255.255.255 then the IP of the Windows 2003 Small Business Server and finally, the IP of the multi-function device used to scan to email.  
    /var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:44 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="00:00:00:00:00:00" srcip="10.x.x.51" dstip="255.255.255.255" proto="17" length="269" tos="0x00" prec="0x00" ttl="128" srcport="138" dstport="138" 

    /var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:45 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.51" dstip="10.x.x.7" proto="17" length="269" tos="0x00" prec="0x00" ttl="127" srcport="138" dstport="138" 

    /var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:46 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.51" dstip="10.x.x.45" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="51814" dstport="161"

    No other desktop or laptop IP appears in the IPS logs.

    Cheers - Bob
  • 0 in reply to BAlfson
    I had a similar issue but it turned out to be McAfee SCP.

    Figures he would blame Vista.

    Maybe he has a stealthy rootkit or the notebook comes with its own tracking security software.
Reply Children
No Data