77.91.227.67
Is this in Russia? According to some lookups/tracert, it might be.
This in no way confirms whether it's one of the living dead...but still.
Do you know what this is? netwatcher-mon
Looks like some kind of network monitor but was it put there by you/the
company?
Cheers
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of Tony Raboza
> >Sent: Tuesday, November 10, 2009 10:05 PM
> >To: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: Zombie / Botnet?
> >
> >Hi,
> >
> >One of our workstations is broadcasting a huge amount of UDP traffic
> >(around 5Mbps) and I'm thinking it could be a zombied computer doing
> >DDOS as directed by its controller. But the weird thing is - it has
> >an updated McAfee AV with HIPS ?? Why was this not detected - or
> >could I be reading this wrong? Here's a portion of the tcpdump:
> >
> >14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr:
> >UDP, length 1000
> >14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP,
> >length 1000
> >14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496:
> >UDP, length 1000
> >14:00:20.521733 IP 192.168.10.10.brcm-comm-port >
> >b.root-servers.net.4710: UDP, length 1000
> >14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826:
> >UDP, length 1000
> >14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997:
> >UDP, length 1000
> >14:00:20.525251 IP 192.168.10.10.csvr-sslproxy >
> >E.ROOT-SERVERS.NET.funk-license: UDP, length 1000
> >14:00:20.526385 IP 192.168.10.10.firemonrcc >
> >f.root-servers.net.sonuscallsig: UDP, length 1000
> >14:00:20.527798 IP 192.168.10.10.spandataport >
> >G.ROOT-SERVERS.NET.4130: UDP, length 1000
> >14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp:
> >UDP, length 1000
> >14:00:20.529947 IP 192.168.10.10.ncu-1 >
> >i.root-servers.net.direcpc-dll: UDP, length 1000
> >14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer:
> >UDP, length 1000
> >14:00:20.538422 IP 192.168.10.10.embrace-dp-s >
> >77.91.227.67.bluelance: UDP, length 1000
> >14:00:20.538712 IP 192.168.10.10.embrace-dp-c >
> >a.root-servers.net.embrace-dp-s: UDP, length 1000
> >14:00:20.540010 IP 192.168.10.10.dmod-workspace >
> >b.root-servers.net.bvcontrol: UDP, length 1000
> >14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925:
> >UDP, length 1000
> >14:00:20.541412 IP 192.168.10.10.cpq-tasksmart >
> >b.root-servers.net.bnt-manager: UDP, length 1000
> >14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864:
> >UDP, length 1000
> >14:00:20.542941 IP 192.168.10.10.netwatcher-mon >
> >c.root-servers.net.sbi-agent: UDP, length 1000
> >14:00:20.544113 IP 192.168.10.10.netwatcher-db >
> >d.root-servers.net.4467: UDP, length 1000
> >14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP,
> >length 1000
> >14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374:
> >UDP, length 1000
> >
> >
> >==
> >
> >Its sending UDP traffic to the root nameservers ....
> >
> >Any ideas?
> >Thanks.
> >
> >
> >Best,
> >Tony
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL certificate. We look at how SSL works, how it benefits your company
> >and how your customers can tell if a site is secure. You will find out
> >how to test, purchase, install and use a thawte Digital Certificate on
> >your Apache web server. Throughout, best practices for set-up are
> >highlighted to help you ensure efficient ongoing management of your
> >encryption keys and digital certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727d1
> >-----------------------------------------------------------------------
-
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
Is this in Russia? According to some lookups/tracert, it might be.
This in no way confirms whether it's one of the living dead...but still.
Do you know what this is? netwatcher-mon
Looks like some kind of network monitor but was it put there by you/the
company?
Cheers
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of Tony Raboza
> >Sent: Tuesday, November 10, 2009 10:05 PM
> >To: security-basics (at) securityfocus (dot) com [email concealed]
> >Subject: Zombie / Botnet?
> >
> >Hi,
> >
> >One of our workstations is broadcasting a huge amount of UDP traffic
> >(around 5Mbps) and I'm thinking it could be a zombied computer doing
> >DDOS as directed by its controller. But the weird thing is - it has
> >an updated McAfee AV with HIPS ?? Why was this not detected - or
> >could I be reading this wrong? Here's a portion of the tcpdump:
> >
> >14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr:
> >UDP, length 1000
> >14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP,
> >length 1000
> >14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496:
> >UDP, length 1000
> >14:00:20.521733 IP 192.168.10.10.brcm-comm-port >
> >b.root-servers.net.4710: UDP, length 1000
> >14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826:
> >UDP, length 1000
> >14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997:
> >UDP, length 1000
> >14:00:20.525251 IP 192.168.10.10.csvr-sslproxy >
> >E.ROOT-SERVERS.NET.funk-license: UDP, length 1000
> >14:00:20.526385 IP 192.168.10.10.firemonrcc >
> >f.root-servers.net.sonuscallsig: UDP, length 1000
> >14:00:20.527798 IP 192.168.10.10.spandataport >
> >G.ROOT-SERVERS.NET.4130: UDP, length 1000
> >14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp:
> >UDP, length 1000
> >14:00:20.529947 IP 192.168.10.10.ncu-1 >
> >i.root-servers.net.direcpc-dll: UDP, length 1000
> >14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer:
> >UDP, length 1000
> >14:00:20.538422 IP 192.168.10.10.embrace-dp-s >
> >77.91.227.67.bluelance: UDP, length 1000
> >14:00:20.538712 IP 192.168.10.10.embrace-dp-c >
> >a.root-servers.net.embrace-dp-s: UDP, length 1000
> >14:00:20.540010 IP 192.168.10.10.dmod-workspace >
> >b.root-servers.net.bvcontrol: UDP, length 1000
> >14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925:
> >UDP, length 1000
> >14:00:20.541412 IP 192.168.10.10.cpq-tasksmart >
> >b.root-servers.net.bnt-manager: UDP, length 1000
> >14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864:
> >UDP, length 1000
> >14:00:20.542941 IP 192.168.10.10.netwatcher-mon >
> >c.root-servers.net.sbi-agent: UDP, length 1000
> >14:00:20.544113 IP 192.168.10.10.netwatcher-db >
> >d.root-servers.net.4467: UDP, length 1000
> >14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP,
> >length 1000
> >14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374:
> >UDP, length 1000
> >
> >
> >==
> >
> >Its sending UDP traffic to the root nameservers ....
> >
> >Any ideas?
> >Thanks.
> >
> >
> >Best,
> >Tony
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL certificate. We look at how SSL works, how it benefits your company
> >and how your customers can tell if a site is secure. You will find out
> >how to test, purchase, install and use a thawte Digital Certificate on
> >your Apache web server. Throughout, best practices for set-up are
> >highlighted to help you ensure efficient ongoing management of your
> >encryption keys and digital certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727d1
> >-----------------------------------------------------------------------
-
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]