McAfee is, by no means, a silver bullet. There are various attacks on
the AV product itself that can mask infection and there are other
methods of zombification that are not detected via AV.
Disable system restore points and reboot to a bootable cd with
malware / AV scanning to verify.
Massive UDP could be an RTP broadcast but it would not be directed at
root servers so your initial thoughts of a ddos are probably correct.
-Jay
On Nov 10, 2009, at 9:36 AM, "Tony Raboza" <tonyraboza (at) gmail (dot) com [email concealed]> wrote:
> Hi,
>
> One of our workstations is broadcasting a huge amount of UDP traffic
> (around 5Mbps) and I'm thinking it could be a zombied computer doing
> DDOS as directed by its controller. But the weird thing is - it has
> an updated McAfee AV with HIPS ?? Why was this not detected - or
> could I be reading this wrong? Here's a portion of the tcpdump:
>
> 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr:
> UDP, length 1000
> 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP,
> length 1000
> 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496:
> UDP, length 1000
> 14:00:20.521733 IP 192.168.10.10.brcm-comm-port >
> b.root-servers.net.4710: UDP, length 1000
> 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826:
> UDP, length 1000
> 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997:
> UDP, length 1000
> 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy >
> E.ROOT-SERVERS.NET.funk-license: UDP, length 1000
> 14:00:20.526385 IP 192.168.10.10.firemonrcc >
> f.root-servers.net.sonuscallsig: UDP, length 1000
> 14:00:20.527798 IP 192.168.10.10.spandataport >
> G.ROOT-SERVERS.NET.4130: UDP, length 1000
> 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp:
> UDP, length 1000
> 14:00:20.529947 IP 192.168.10.10.ncu-1 >
> i.root-servers.net.direcpc-dll: UDP, length 1000
> 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer:
> UDP, length 1000
> 14:00:20.538422 IP 192.168.10.10.embrace-dp-s >
> 77.91.227.67.bluelance: UDP, length 1000
> 14:00:20.538712 IP 192.168.10.10.embrace-dp-c >
> a.root-servers.net.embrace-dp-s: UDP, length 1000
> 14:00:20.540010 IP 192.168.10.10.dmod-workspace >
> b.root-servers.net.bvcontrol: UDP, length 1000
> 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925:
> UDP, length 1000
> 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart >
> b.root-servers.net.bnt-manager: UDP, length 1000
> 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864:
> UDP, length 1000
> 14:00:20.542941 IP 192.168.10.10.netwatcher-mon >
> c.root-servers.net.sbi-agent: UDP, length 1000
> 14:00:20.544113 IP 192.168.10.10.netwatcher-db >
> d.root-servers.net.4467: UDP, length 1000
> 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP,
> length 1000
> 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374:
> UDP, length 1000
>
>
> ==
>
> Its sending UDP traffic to the root nameservers ....
>
> Any ideas?
> Thanks.
>
>
> Best,
> Tony
>
> ---
> ---------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ---
> ---------------------------------------------------------------------
>
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
the AV product itself that can mask infection and there are other
methods of zombification that are not detected via AV.
Disable system restore points and reboot to a bootable cd with
malware / AV scanning to verify.
Massive UDP could be an RTP broadcast but it would not be directed at
root servers so your initial thoughts of a ddos are probably correct.
-Jay
On Nov 10, 2009, at 9:36 AM, "Tony Raboza" <tonyraboza (at) gmail (dot) com [email concealed]> wrote:
> Hi,
>
> One of our workstations is broadcasting a huge amount of UDP traffic
> (around 5Mbps) and I'm thinking it could be a zombied computer doing
> DDOS as directed by its controller. But the weird thing is - it has
> an updated McAfee AV with HIPS ?? Why was this not detected - or
> could I be reading this wrong? Here's a portion of the tcpdump:
>
> 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr:
> UDP, length 1000
> 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP,
> length 1000
> 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496:
> UDP, length 1000
> 14:00:20.521733 IP 192.168.10.10.brcm-comm-port >
> b.root-servers.net.4710: UDP, length 1000
> 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826:
> UDP, length 1000
> 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997:
> UDP, length 1000
> 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy >
> E.ROOT-SERVERS.NET.funk-license: UDP, length 1000
> 14:00:20.526385 IP 192.168.10.10.firemonrcc >
> f.root-servers.net.sonuscallsig: UDP, length 1000
> 14:00:20.527798 IP 192.168.10.10.spandataport >
> G.ROOT-SERVERS.NET.4130: UDP, length 1000
> 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp:
> UDP, length 1000
> 14:00:20.529947 IP 192.168.10.10.ncu-1 >
> i.root-servers.net.direcpc-dll: UDP, length 1000
> 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer:
> UDP, length 1000
> 14:00:20.538422 IP 192.168.10.10.embrace-dp-s >
> 77.91.227.67.bluelance: UDP, length 1000
> 14:00:20.538712 IP 192.168.10.10.embrace-dp-c >
> a.root-servers.net.embrace-dp-s: UDP, length 1000
> 14:00:20.540010 IP 192.168.10.10.dmod-workspace >
> b.root-servers.net.bvcontrol: UDP, length 1000
> 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925:
> UDP, length 1000
> 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart >
> b.root-servers.net.bnt-manager: UDP, length 1000
> 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864:
> UDP, length 1000
> 14:00:20.542941 IP 192.168.10.10.netwatcher-mon >
> c.root-servers.net.sbi-agent: UDP, length 1000
> 14:00:20.544113 IP 192.168.10.10.netwatcher-db >
> d.root-servers.net.4467: UDP, length 1000
> 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP,
> length 1000
> 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374:
> UDP, length 1000
>
>
> ==
>
> Its sending UDP traffic to the root nameservers ....
>
> Any ideas?
> Thanks.
>
>
> Best,
> Tony
>
> ---
> ---------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ---
> ---------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]