Astaro User Bulletin Board - View Single Post - A portscan trojan that persists after reloading with linux instead of Vista?

BAlfson · #4 (**permalink**) 05-15-2009, 05:01 PM

As the events in the first post were occuring, the following appears in the Packet Filter log. 10.x.x.34 is the IP of the Astaro's Internal interface. x, y and z are used consistently in all three posts.

Code:

13:37:47 Packetfilter rule #15 TCP 10.x.x.111 : 60646 → 134.34.103.77 : 26285 [SYN] len=60 ttl=63 tos=0x00  srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 194.165.188.76 : 12350 len=82 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 67.82.232.66 : 20772 len=50 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 190.10.171.74 : 2168 len=50 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 76.109.56.53 : 45417 len=96 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 201.29.233.209 : 19636 len=72 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 97.89.187.177 : 56315 len=72 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 129.123.92.44 : 31050 len=63 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 88.85.132.142 : 37669 len=63 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 82.251.213.46 : 55648 len=60 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:48 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:50 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz

Any suggestions (I mean other than scrubbing every box that's done a portscan

)?

Cheers - Bob