This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trojan Detected: now what?

I'm getting IPS notifications of a trojan, on my system but Can't find a way to isolate or otherwise identify it.

Can someone give a clue?

Here's a snip of the IPS logs:


2015:04:15-11:48:01 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="28190" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="28190" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS IPv6 host name enumeration" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="27938" class="Attempted Information Leak" priority="2" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="BLACKLIST DNS request for known malware domain ucoz.ru" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="29122" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2015:04:15-11:48:02 ravenna snort[29138]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="BLACKLIST DNS request for known malware domain ucoz.ru" group="241" srcip="10.1.2.3" dstip="10.1.1.2" proto="17" srcport="59691" dstport="53" sid="29122" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

I've run scanners et al but can't find anything.

Thanks!

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago

Doug, That looks like the same infection that you've had sine Dec. 2013. Have you tried the Sophos Virus Removal Tool? MalwareBytes?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago

Doug, That looks like the same infection that you've had sine Dec. 2013. Have you tried the Sophos Virus Removal Tool? MalwareBytes?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data