Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Anyone seen this?
From: "Bryan D. Payne" <bdpayne () cs umd edu>
Date: Tue, 27 Aug 2002 13:53:05 -0400 (EDT)
Have you tried comparing MD5 checksums of the apache that you downloaded
and a "known good" version?  If the checksums fail, of course, you should
contact the location that you downloaded the bad version from to let them
know that they have a problem.

Also, is Apache the only new / updated software on that machine?  I'd
agree that this looks rather suspect.

-bryan


On Mon, 26 Aug 2002, Gary R. Porter wrote:


A co-worker in the office loaded what he thought was a standard download of
Apache and soon thereafter his machine started trying to reach a wide
assortment of addresses on seemingly random ports that our firewall is not
configured to let out, resulting in internal netprobes.  Many of the
addresses look suspicious.  Has anyone seen this type of thing before?

Aug 26 15:54:51  tcp  (source IPADD)  2774      209.61.184.227    6346
Aug 26 15:54:51  tcp  XX.XXX.XXX.XX   2766 CPE-144-137-30-210.    5605
Aug 26 15:54:51  tcp  XX.XXX.XXX.XX   2767 usr1271-udd.blueyon    9613
Aug 26 15:54:52  tcp  XX.XXX.XXX.XX   2768      161.45.178.190    7867
Aug 26 15:54:52  tcp  XX.XXX.XXX.XX   2769 12-249-40-71.client    8386
Aug 26 15:54:53  tcp  XX.XXX.XXX.XX   2770 N890P015.adsl.highw    6226
Aug 26 15:54:53  tcp  XX.XXX.XXX.XX   2771 209-124-131-186.pep    4396
Aug 26 15:54:54  tcp  XX.XXX.XXX.XX   2774      209.61.184.227    6346
Aug 26 15:54:54  tcp  XX.XXX.XXX.XX   2772 0x503e2304.arcnxx12    8740
Aug 26 15:54:54  tcp  XX.XXX.XXX.XX   2773 dyn-168-11.paonline    8922
Aug 26 15:54:56  tcp  XX.XXX.XXX.XX   2775 209-124-131-186.pep    4396
Aug 26 15:54:57  tcp  XX.XXX.XXX.XX   2776 226-232-234-66.tran    6840
Aug 26 15:54:58  tcp  XX.XXX.XXX.XX   2775 209-124-131-186.pep    4396
Aug 26 15:54:59  tcp  XX.XXX.XXX.XX   2776 226-232-234-66.tran    6840
Aug 26 15:55:00  tcp  XX.XXX.XXX.XX   2774      209.61.184.227    6346
Aug 26 15:55:01  tcp  XX.XXX.XXX.XX   2777      209.61.184.225    6346
Aug 26 15:55:02  tcp  XX.XXX.XXX.XX   2778 0x503e2304.arcnxx12    8740
Aug 26 15:55:04  tcp  XX.XXX.XXX.XX   2777      209.61.184.225    6346
Aug 26 15:55:04  tcp  XX.XXX.XXX.XX   2775 209-124-131-186.pep    4396
Aug 26 15:55:05  tcp  XX.XXX.XXX.XX   2778 0x503e2304.arcnxx12    8740
Aug 26 15:55:05  tcp  XX.XXX.XXX.XX   2776 226-232-234-66.tran    6840
Aug 26 15:55:08  tcp  XX.XXX.XXX.XX   2779 209-124-131-186.pep    4396
Aug 26 15:55:10  tcp  XX.XXX.XXX.XX   2777      209.61.184.225    6346
Aug 26 15:55:10  tcp  XX.XXX.XXX.XX   2780 226-232-234-66.tran    6840
Aug 26 15:55:11  tcp  XX.XXX.XXX.XX   2779 209-124-131-186.pep    4396

Gary R. Porter
Program Manager, CITS Mobile Training
MATCOM Corporation
757-838-0212 (w)
757-897-5830 (m)
gary.porter () matcomcorp com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
  • Anyone seen this? Gary R. Porter (Aug 27)
    • Re: Anyone seen this? Bryan D. Payne (Aug 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]