Problems with machine sending out "get" requests

[LedZepRock]

Hi

I have a Windows machine on the network, upon looking in my firewall logs it is sending out lots (every couple of seconds) of "get" requests to lots of differant IP address (whois shows them to be quite random). I have a full version of McAfee (uptodate) and a full scan shows no problem, I then installed a program called "BoDetect" that looks for Trojans, but it finds nothing, so I am starting to run out of ideas. Has anybody got some other ideas to what is causing this, as the people it is conecting to will soon start complaining.

Ta, Simon

 

[jnicks]

Nasty, LedZep, nasty.

Like ZZtop too? Sorry, off track...

If you have several identical or similar systems you might try pulling a signature check on all the \Windows files and comparing to a similar system, ignoring INI files and user/system.dat should stop a lot of the chatter.

e.g.

listfile *.* c:\windows /s |delwith any @skiplist | md5 > test1

where skiplist says *.ini,user.dat,system.dat...

Almost all worms & viruses play around with at least one of the 54 (last time I looked) different types of Windows executable files. There ought to be traces in them.

I assume your ordinary McAfee has checked the Registry and Win/system.ini. However just in case, which you may have already done:

1. edit Win.ini and look at load= and run=

2. Edit System.ini and look at Shell=

(all are near the top)

3. RegEdit and search for Runonce and poke about in all the run, runonce, runservices, runservicesonce

You'll find two run... sections, or one plus one per user.

See if anything differs from the problem system to a reference system.

The thing is if all them are clean, then the malware has figured out some other way to get itself run. There are a few, e.g. boot sector, but a very large number of Malwares use the few mechanisms above.

btb, it would not hurt to download a few demo a-vs, say from Sophos or F-secure. There are new signatures out today from both as I recall.

If this is a 9x/me system, you are lucky, because then you can run A-V from DOS, really current a-v like F-Prot from Frisk Software International. (last update 9/14).

If the os is nt2kxp, then you have to pop out the drive, slave it in another system and then a-v scan. Nice, hunh? Or, you can Koppix into Linux from a CD-boot and then emulate DOS and use SAMBA for NTFS, ... oh, never mind.

If your user has good backups, it is probably much easier to scrag the drive, Format, Ghost it or XXCOPY.

You might want to take XXCOPY snapshots of C:\WINDOWS for the future, then in the further future you just scrag C:\%windir% instead of C:
Of those dozen paths, I hope one is fruitful.

ttfn
j

 

[ackka]

This might be a variant of a http tunnel program

http://www.gnu.org/directory/All_GNU_Packages/httptunnel.html

Uses http to allow you to tunnel traffic from any other application. I think their is a commericial variant called

http://www.http-tunnel.com/

for windows systems. Trying tracking the outgoing IP's and see if they are corporate or home IP's.

good luck

ackka

http://userpages.umbc.edu/~tmoses1/