dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3225
share rss forum feed


JSR2012

@logixcom.net

DoS attack: Storm, Smurf and FIN Scans

Hi Guys,

Not sure if you can help but I have been getting a LOT of these recently, to the extent that we have lost comms at my business for days at a time.

[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:05:37
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:05:16
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:04:56
[Admin login failure] from source 192.168.1.2, Thursday, Oct 11,2012 09:04:24
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:03:13
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:02:52
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:02:32
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:02:10
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:01:49
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:01:29
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:01:05
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:00:44
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:00:23
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:00:00
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 08:59:39
DoS attack: Smurf] attack packets in last 20 sec from ip [172.17.2.83].

These originate from MY IP.....any ideas?


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to JSR2012
But if one machine is not infected then see here..

The source is an internal IP address , I just wonder if your dropping connection and the error is a miss report from the router when a packet from that machine doesn't get through because the connection is down.

»www.idnetters.co.uk/forums/index ··· =27727.0


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to JSR2012
I assume you are an eye and laser facility right ?


JSR2012

@logixcom.net
reply to Name Game
Thanks for the first link, already read it though.

I am running a 2012 iMac so I don't think that applies - sorry I should have mentioned that before!

Read the second link and its rather in-conclusive, I do not use Dropbox etc etc


JSR2012

@logixcom.net
reply to JSR2012
Ah ha - Kaspersky for MAC just found:

Trojan.Win32.inject.dso

I cannot find anything apart from 1 website referencing this, any ideas? Thanks again.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
Most in those Win32/Inject things a bots..and are spread many ways

»blog.eset.com/2008/08/27/a-deepe ··· njectnbl

Trojan:W32/Inject is a large family of malware that secretly makes changes to the Windows Registry. Variants in the family may also make changes to other running processes. For a representative example of an Inject variant's actions, please see Trojan-Dropper:W32/Agent.FBB.

Trojan-Dropper:W32/Agent.FBB appears to be an innocent EXE file, and is usually delivered as an e-mail attachment, or as a standalone file. The recipient must click on and execute the EXE file in order to infect their system.
»www.f-secure.com/v-descs/trojan- ··· bb.shtml
Inject variants may be delivered as part of the payload of other malware.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to JSR2012
Did the problem stop now ?


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to JSR2012
What gets me is most of the stuff like that is old from 2009 to 2011..but guess it can all be still around or something like it..

Backdoor.Win32.Inject.dso

Detection added: 30.05.2011

Behavior: Backdoor Trojan
Backdoor Trojans provide the author or hacker with remote-administration of victim machines. Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

Platform: This malware is a Windows PE EXE file.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP, Windows Vista, Windows 7 (x86)


--
Gladiator Security Forum
»www.gladiator-antivirus.com/

HELLFIRE
Premium
join:2009-11-25
kudos:19

1 recommendation

reply to JSR2012
How many PCs are at your location?

Name Game offers some pretty good advice here. If there were multiple computers at the location, start shutting
them down one at a time till the log messages go away, then focus on that one computer further.

Commands like netstat (or the *nix equivalent) is also useful.

Learn what programs are running and what network connections they make?

Last thought is what make / model of equipment is those log files from? If it's some idiot box off the shelf, they
really don't have much intelligence to their processes or identification, and to me STORM is just a generic term for
"SOMEthing's going on, but I don't know what." See Wikipedia for what a Smurf attack is.

Regards


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7


JSR2012

@logixcom.net
Seems to have calmed down, it would appear that virus was the issue, strange that it was occuring on my MAC though!

I had Storm, Fin, Smurf etc etc

We also had it spoofing IP's of legitimate companies last week, seems to have stopped since I removed the virus, I am now downloading little snitch to ensure there are no out going connections that I am un-aware of!

Thanks for the help guys


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

Good idea..little snitch will do you fine.

Mac OS threats

This month brought unprecedented malware activity on Mac OS. The most prominent case was the distribution of spam to addresses of Tibetan organizations. This spam contained links to a Java exploit designed to install malicious programs on users’ computers: Backdoor.OSX.Lasyr.a on the computers of Mac OS users and Trojan.Win32.Inject.djgs on Windows users’ computers. This exploit infected the computers of Mac OS X users with the malicious program Backdoor.OSX.MaControl.a. Also in March a new modification of the malicious program Backdoor.OSX.Imuler was detected. Malicious programs belonging to this family are spread under the cover of files with safe extensions. During the March attack, cybercriminals distributed spam containing malicious files that were masked as erotic images with .JPG extensions. Another first in March was malicious programs using Twitter as a command and control server. To distribute these malicious programs cybercriminals used 200,000 hacked blogs operating under WordPress.

»www.kaspersky.com/about/news/vir ··· _Android
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to JSR2012
said by JSR2012 :

Ah ha - Kaspersky for MAC just found:

Trojan.Win32.inject.dso

I cannot find anything apart from 1 website referencing this, any ideas? Thanks again.

A windows trojan should not affect OSX.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
That is obvious..most likely it was the MAC version but called out by the Kaspersky for MAC as the w32.inject...might be nice to post list of the actual files it found infected..not just the generic name of the exploit.

Kaspersky Virus Scanner

Kaspersky Virus Scanner from the Mac App Store, you need a Mac with OS X 10.6.6 or later.
Description
Kaspersky Virus Scanner is designed to protect Mac users against all types of malware. It detects and, when possible, removes both Mac and non-Mac malware using recent anti-virus database, which is automatically updated to ensure you are protected against the latest threats. Tuned for optimal memory footprint, it consumes no CPU processing

»itunes.apple.com/us/app/kaspersk ··· 27?mt=12