Security Incidents: Odd activity.

[cw <cw () fidei co uk>]

Hi there.
At the end of last week I was having problems with my laptop. Half the time it would freeze when booting whilst at one 
point I was seeing some odd process activity. At 24 second intervals I would see a burst of activity (~70% CPU 
utilisation) and the computer would lock at the same time. I have just checked the firewall log of my desktop to see 
something I wasn't expecting.

First off there are loads of blocked entries blocked for ip protocol 60.
I then saw a scrambled portscan of ports 50000-50099. By scrambled I mean out no discernable order (then again number 
patterns was my worst area of maths). Each scan is three packets to the port and some ports were repeated.

Last week I hadn't noticed the unusual log entries. As it coincided with me putting Service Pack 3 on my machine 
(Win2K) I assumed that was the cause so I wiped the root partition and reinstalled. I do have another partition on the 
drive

Does this pattern look familiar to anyone? I did run a viruscan on the machine prior to reinstalling (McAfee 5.21.1000, 
Engine 4.1.60, Dats 4.04.4217) which found nothing and I was running a firewall (Kerio). I'd also made sure to kill and 
disable every service that wasn't explicitly needed which is basically everything except what is needed for the 
operating system to run.

Has anyone got any tips on what I should look for on the other partition incase anything was left there?

Cheers,
Colin.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com