Astaro User Bulletin Board - View Single Post - A portscan trojan that persists after reloading with linux instead of Vista?

BAlfson · #1 (**permalink**) 05-15-2009, 03:35 PM

Something inside the network is doing portscans outside the network:

Code:

2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="85.86.106.91" proto="17" length="61" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="57455" 
2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="69.243.15.69" proto="17" length="62" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="16774" 
2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="72.188.102.64" proto="17" length="63" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="59201"

This is an interesting situation...

The laptop at 10.x.x.111 seems to have had this problem since 4/24 when it was loaded with Vista. The programmer erased and reloaded Vista twice, then, frustrated, erased the disk again and loaded it with linux.

When the IP on the laptop changes, the srcip changes to the new IP, but the srcmac always matches to the External Astaro interface and dstmac always matches to the Internal interface.

Anyone have any suggestions?

Cheers - Bob