Hi,

I've witnessed what I think is an increase in SSH scans over the
Internet in the past four or five weeks. The scan seems to originate
from various countries around the globe which makes me think of it to be
a worm-like spreading virus searching for vulnerable systems running the
SSH service. I

[ more ]  [ reply ]

On 3/2/06, LE Backup <lucretias (at) shaw (dot) ca [email concealed]> wrote:
> Sorry for the oversimplification, but are you saying this is normal?
>

To clarify.. I do not know if it is normal or not. I do know that it
occured on a very small percentage (less than 0.5%) of "clean"
machines. I am primarily Linux based so I had

[ more ]  [ reply ]

Well I have received a few people all exhibiting this, and say it can
occur from a fresh-install, currently patched, no internet connection.
I suggest we investigate more, honeypot, full diff, etc. Anyone
interested in helping?

On 3/2/06, LE Backup <lucretias (at) shaw (dot) ca [email concealed]> wrote:
> Sorry for the oversi

[ more ]  [ reply ]

Also,
I ran Procexp (Sysinternals) and tcpview (sysinternals)and th eprocess was 'system process'

[ more ]  [ reply ]

This box is running Windows 2003, all the latest patches, it has a private RFC 1918 Address, and does not have nat to get to the internet.

I did do a ethereal capture, and the traffic had the capture, but I am not sure how to upload it here.

THis is a excel dump:

1723 7-Dec-05 7:56:19 VPN-

[ more ]  [ reply ]

Hello all,
I have a machine that is sending out empty data packets destined to random ip addresses with a destination port of 137 and 139. All the IP Addresses seem to be a military and NOC location. I have attached some of the IP's below. I have ran antivirus, anti-spyware and rootkit detectors

[ more ]  [ reply ]

http://choon.net/php-mail-header.php

[ more ]  [ reply ]

Hello,

I have a big problem. Some customer probably got installed a PHP-script
that allows to send-out mails with no trace to the original domain it
belongs to (we had this before, were pollvote.php was used to install
some kind of web-shell - but it was easily detectable which domain it was).

[ more ]  [ reply ]

Hi guys. There have been numerous queries about the subject of reporting
and mitigating botnets in the last few mounths.

I promised I would get back to all of you, here we go.

We started a new PUBLIC and OPEN mailing list where anyone can join in
and report a botnet command and control (C&C) serve

[ more ]  [ reply ]

We have been seeing an increase in port 1433 in the past few days.
Multiple probes directed towards port 1433 are still being captured.
Just this day, the probes came from not less than 10 different IP
sources for one target. Bulk of the IP sources are coming from
mainland China but a number of prob

[ more ]  [ reply ]

I am not too sure if I can agree with you at this moment, David. It is indeed weird that traffic is only heading towards the HTTPS port.

Have you considered running a netmon service on that source machine to see which application is actually sending out requests for HTTPS? You might be able to nail

[ more ]  [ reply ]

Perhaps just some bad written malware with a false byte ordering (so in reality, this could be a broadcast scan or something like that)?

[ more ]  [ reply ]