Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I had a bot or sniffer. Really could use help.


  • Please log in to reply
2 replies to this topic

#1 C-zom

C-zom

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 25 July 2010 - 04:14 AM

To be brief a computer in our network got a rootkit because they used internet explorer on an unsafe site. That computer has since been cleaned with blacklight, combofix, malwarebytes and so on. No other computers on the network got a virus or rootkit from it. All appears to be fixed. However an underlying and highly unusual symptom has occurred afterward's: All computers in the network have inbound connections from UDP 1024 connecting to UDP 137, and its both receiving and sending a lot of bytes. Now, is this harmless chatter, or did the payload include a bot? I really need to find out if my network is infected. No other computers are showing unusual signs besides this very persistent inbound connection. Terminating the connection does little, it returns moments later.

All computers are using static IP addresses. I turned them all off and renewed our IP's, and the inbound connection stopped. To test I turned the static IP's back on. Sure enough, the inbound connection came back and got right to work on whatever its doing. I know that TCP 1024 is Latinus and is hell on earth to deal with, but this is UDP 1024 and can potentially just be fine. How can I tell for sure guys? I really, REALLY don't want to deal with an infected network.

Edited by C-zom, 25 July 2010 - 04:17 AM.


BC AdBot (Login to Remove)

 


#2 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 25 July 2010 - 07:16 PM

Well UDP is connectionless. So its just sending. Do you have any weird outbound traffic? Not sure what could be sending it or why. If it were TCP then you have a serious issue, like you said lol.

Bad thing is I'm not sure what to tell you or how to tell if its completely safe. I'd keep an eye on it and just keep checking. Maybe someone else can help more, sorry

Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#3 C-zom

C-zom
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 25 July 2010 - 08:02 PM

No weird outbound traffic. Kaspersky, Steam, MSN and the usual stuff. Nothing alarming or using weird ports or sending tons of bytes. Normal stuff. No TCP inbounds at all. Very strange.

Yeah, thanks for the help though, it is helpful for me to hear its really just ambigious. It's probably just random UDP chatter, weird as it is, but I've personally never seen UDP used for a netbot before.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users