Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A possibly infected network.


  • Please log in to reply
No replies to this topic

#1 C-zom

C-zom

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 25 July 2010 - 04:16 AM

I apologize for two topics, the Networking forum didn't seem to cover this issue so I thought I would post here. Please just delete whichever topic is in the wrong location.

To be brief a computer in our network got a rootkit because they used internet explorer on an unsafe site. That computer has since been cleaned with blacklight, combofix, malwarebytes and so on. No other computers on the network got a virus or rootkit from it. All appears to be fixed. However an underlying and highly unusual symptom has occurred afterward's: All computers in the network have inbound connections from UDP 1024 connecting to UDP 137, and its both receiving and sending a lot of bytes. Now, is this harmless chatter, or did the payload include a bot? I really need to find out if my network is infected. No other computers are showing unusual signs besides this very persistent inbound connection. Terminating the connection does little, it returns moments later.

All computers are using static IP addresses. I turned them all off and renewed our IP's, and the inbound connection stopped. To test I turned the static IP's back on. Sure enough, the inbound connection came back and got right to work on whatever its doing. I know that TCP 1024 is Latinus and is hell on earth to deal with, but this is UDP 1024 and can potentially just be fine. How can I tell for sure guys? I really, REALLY don't want to deal with an infected network. From my computer with static IP on:

Edited by C-zom, 25 July 2010 - 04:17 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users