May 21, 2010 at 1:48 am #5081
Hi all, need advices please, i’ve just realized yesterday on the network one user always have connection POST to http://chernomorsky.name but when i try to get in to that website i can’t, basically first i try to ping the website which show the ip address and always request time out.
The log from my proxy box:
ip-address-user POST http://chernomorsky.name/upload.php?bacf8e0422bb12604d4dcf26c99bcaa9
I’m very curious about this and had been try to use scapy to send receive packet but it always finished packets but the receives packet always not show up.
Yesterday i also block that website from my proxy box and i will be check the firewall too.
Is there any other thing i must to do to try figure out this issue, need advices please, i’m still need learn a lot from you guys or i’m just being to much paranoid about this.
Thank’s a lot
May 21, 2010 at 2:29 am #32250
Are you saying that you ran a packet sniffer on the network and you can only see outgoing packets, and nothing coming back? What’s going outbound? Is there anything goofy running on the user’s computer that is making this POST request?
It could be that the remote host is only available at certain times.
May 21, 2010 at 2:35 am #32251
May 21, 2010 at 2:40 am #32252
Did the machine your ran the packet sniffer on have the same public IP as the machine making these connections? The remote host can be doing IP checking. It could also be checking for user agents, referrers, etc.
May 21, 2010 at 2:46 am #32253
No Ketchup, on my box i use different ip public with network, so is there anything else i must do, i’ve been blocked access to that website and right now i’m gonna check the user pc.
Need any advices Ketchup thank’s a lot.
May 21, 2010 at 3:05 am #32254
Sounds like the user’s PC is the best place to look. Keeps us posted and let us know how you make out. If you find anything strange, post it, and we will try to help.
May 21, 2010 at 3:23 am #32255
Right now i’m doing scan with avira personal and after finish i will try with malware bytes free, is there any suggestion please?.
And I’m just check the connection of that user ip before doing scanning av pc,
is the connection go throught illmap.ru i’m not yet check this out, i will try to find out later.
Thank’s a lot
May 21, 2010 at 3:38 am #32256
I would also run a packet capture on this computer to see where else it may be connecting. Also check the auto-run points in the registry and file systems to see what may be starting automatically that you are not aware of.
If you do not trust this computer, I would rebuild it if I was in your shoes. That’s the only way to ensure that you wipe away any infection. It may be overkill, but it’s certainly safe.
May 21, 2010 at 4:21 am #32257XenParticipant
Use Hijackthis http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html and scan for any modified registry before using AVscanners. If any malicious code is found, delete it and run HijackThis again and compare the two log files.
Note: Do not delete any registry usign HijackThis unless you’re completely sure of what it does. You can use automatic HJT log analyzers http://www.internetinspiration.co.uk/hijack%20this-Automated%20analysis.htm to assist you. Also, Google each of the registry entry.
May 21, 2010 at 4:50 am #32258
Thank’s for all your feedback, got the exploit in C:Document and SettingsuserLocal SettingTempjar_cache446947312547567613.tmp(Java.9357 exploit) and rootkit Bubnix.S rootkit C:Windowssystem32driverszeepu.sys, got deleted it and now i see on my router box not have any connection from that user ip to suspect website.
You’re right Ketchup, i don’t trust the computer and i have told him to format the pc but he not yet give permission about that, i had told him if pc got rootkit the best way is format the pc and is there any network method to know how the rootkit and exploit got to the pc cause this is for information to users, cause if i setting firewall but users got the malware/virus/troj/rootkit from the file in internet like accidentally they download from internet or from software messenger like skype/yahoo messenger, how do i know or prevented this happen?
Thank’s a lot guys,
May 21, 2010 at 5:20 am #32259XenParticipant
The best way to prevent such attacks is to give users the minimum privilege they need to do their work efficiently. Do the users need yahoo messenger for their work? Do they need to install software on your company’s systems? In the end, even if you do everything you can– patching,access policies etc. and some user downloads malware off of a messenger program it hurts a lot, not to mention wastage of time dealing with the infection.
Have a good security policy. Who can and can’t install software on systems? What software can be installed? etc.
May 21, 2010 at 5:50 am #32260
Yes, you’re right Equix3n, but this user of this pc wants he can do installation on pc he use and actually he is some kind general manager on office so, from the beginning my supervisor give full access on his pc and it’s true like you said it’s all about policy and honestly i don’t have such as power to make decision and i’ve think about sudowin and want to give a shot about that, thank you for the feedback.
- You must be logged in to reply to this topic.