My firewall log got much bigger on Monday. So I started to wonder...is someone attacking me? I checked the log and saw nothing that unusual. I went to www1.dshield.org to check my IP. Basically dshield is a Distributed IDS. You send you log at their site if you've been attacked.

My PDC (behind a firewall) has been identify has a attacker!!! It really smell like a Trojan or something because its written that my server try to reach someone on port 80 (no, its not a normal web request). I know that alot of Trojan tries to send info to web servers. The sources ports are 2382, 2383, 2384...which might be not of importance because you know that a computer often use dynamically assign port for request.

I checked the processes on my servers. I also checked the .exe and .dll that have been changed on Monday. Started a Net Monitor on my NT 4 machines.... nothing

Any info on this would be appreciated!

Mathieu

i don't know anything about your problem, but i do wonder if it could have anything to do with the new variation on the Opaserv worm (discussed in the brasil.pif thread here) & the attack on the internet root servers on monday? i was cleaning Opaserv off my system on monday, and during the process my firewall blocked a lot of traffic to a lot of gov't and other servers...

whether that really has to do with the internet root servers attack i don't know, but opaserv certainly is a popular virus this week, so you might want to see if that's what you have.

good luck.../julia

have you tried to sniffing out the packets to see what type of info is being transfered accoss the wire? are you Virus def's up todate as well.

1. Internet Root Servers Attacked
In the latest and particularly dramatic demonstration that no network is
safe from the perils of modern computing, Monday evening a
sophisticated, large-scale DDOS (distributed denial of service) attack
took on the Internet's 13 root servers. Of the 13 root servers,
responsible for handling the Internet's DNS (domain name system), only 4
or 5 took the hit (an onslaught of illegitimate service requests)
without denying service to legitimate traffic.

As the root server system is designed to maintain normal traffic with
just 4 or 5 of the servers functioning, users probably did not notice
the attack. Despite this built in service "buffer", a longer and more
powerful attack could have slowed traffic down to noticeable levels or
even worse.

The FBI among others is investigating the event and at this time no one
knows who may be behind this attack. A spokesman for UUNET, operator of
two of the 13 root servers said, "This could be someone just messing
around, but it could also be something much more serious. It's too soon
to say." There is also the danger that this was just a "test" strike, a
prelude to a more serious attack in the future.

The majority of DDoS attacks in which the computing power of many
computers is focused against an individual or a smaller number of
computers, are often perpetrated by hackers who use automated software
to scan millions of computers for known security holes. The computers
that are found to have the necessary vulnerabilities are usually owned
by unsuspecting, innocent home users who are unaware that their
computers are taking part in distributed denial of service attacks.

Offering a solution to DDoS attacks Alan Paller, research director at
the SANS Institute, a nonprofit security research and training group,
warns, "The only way stop such attacks is to fix the vulnerabilities on
the machines that ultimately get taken over and used to launch them.
There's no defense once the machines are under the attacker's control."