| |
JSR2012
Anon
2012-Oct-11 6:15 pm
DoS attack: Storm, Smurf and FIN ScansHi Guys,
Not sure if you can help but I have been getting a LOT of these recently, to the extent that we have lost comms at my business for days at a time.
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:05:37
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:05:16
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:04:56
[Admin login failure] from source 192.168.1.2, Thursday, Oct 11,2012 09:04:24
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:03:13
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:02:52
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:02:32
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:02:10
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:01:49
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:01:29
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:01:05
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:00:44
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:00:23
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 09:00:00
[DoS attack: STORM] attack packets in last 20 sec from ip [66.64.21.177], Thursday, Oct 11,2012 08:59:39
DoS attack: Smurf] attack packets in last 20 sec from ip [172.17.2.83].
These originate from MY IP.....any ideas? |
|
 Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI |
|
|
|
| Name Game |
to JSR2012
But if one machine is not infected then see here.. The source is an internal IP address , I just wonder if your dropping connection and the error is a miss report from the router when a packet from that machine doesn't get through because the connection is down. » www.idnetters.co.uk/foru ··· =27727.0 |
|
| Name Game |
to JSR2012
I assume you are an eye and laser facility right ? |
|
| |
JSR2012 to Name Game
Anon
2012-Oct-11 7:15 pm
to Name Game
Thanks for the first link, already read it though.
I am running a 2012 iMac so I don't think that applies - sorry I should have mentioned that before!
Read the second link and its rather in-conclusive, I do not use Dropbox etc etc |
|
| JSR2012 |
JSR2012 to JSR2012
Anon
2012-Oct-11 7:16 pm
to JSR2012
Ah ha - Kaspersky for MAC just found:
Trojan.Win32.inject.dso
I cannot find anything apart from 1 website referencing this, any ideas? Thanks again. |
|
Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI |
Most in those Win32/Inject things a bots..and are spread many ways » blog.eset.com/2008/08/27 ··· njectnblTrojan:W32/Inject is a large family of malware that secretly makes changes to the Windows Registry. Variants in the family may also make changes to other running processes. For a representative example of an Inject variant's actions, please see Trojan-Dropper:W32/Agent.FBB. Trojan-Dropper:W32/Agent.FBB appears to be an innocent EXE file, and is usually delivered as an e-mail attachment, or as a standalone file. The recipient must click on and execute the EXE file in order to infect their system. » www.f-secure.com/v-descs ··· bb.shtmlInject variants may be delivered as part of the payload of other malware. |
|
| Name Game |
to JSR2012
Did the problem stop now ? |
|
| Name Game |
to JSR2012
What gets me is most of the stuff like that is old from 2009 to 2011..but guess it can all be still around or something like it.. Backdoor.Win32.Inject.dso
Detection added: 30.05.2011
Behavior: Backdoor Trojan
Backdoor Trojans provide the author or hacker with remote-administration of victim machines. Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.
Platform: This malware is a Windows PE EXE file.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP, Windows Vista, Windows 7 (x86) |
|
1 recommendation |
to JSR2012
How many PCs are at your location?
Name Game offers some pretty good advice here. If there were multiple computers at the location, start shutting
them down one at a time till the log messages go away, then focus on that one computer further.
Commands like netstat (or the *nix equivalent) is also useful.
Learn what programs are running and what network connections they make?
Last thought is what make / model of equipment is those log files from? If it's some idiot box off the shelf, they
really don't have much intelligence to their processes or identification, and to me STORM is just a generic term for
"SOMEthing's going on, but I don't know what." See Wikipedia for what a Smurf attack is.
Regards |
|
Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI |
|
|
| |
JSR2012
Anon
2012-Oct-12 11:39 am
Seems to have calmed down, it would appear that virus was the issue, strange that it was occuring on my MAC though!
I had Storm, Fin, Smurf etc etc
We also had it spoofing IP's of legitimate companies last week, seems to have stopped since I removed the virus, I am now downloading little snitch to ensure there are no out going connections that I am un-aware of!
Thanks for the help guys |
|
Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI
1 recommendation |
Good idea..little snitch will do you fine. Mac OS threats
This month brought unprecedented malware activity on Mac OS. The most prominent case was the distribution of spam to addresses of Tibetan organizations. This spam contained links to a Java exploit designed to install malicious programs on users’ computers: Backdoor.OSX.Lasyr.a on the computers of Mac OS users and Trojan.Win32.Inject.djgs on Windows users’ computers. This exploit infected the computers of Mac OS X users with the malicious program Backdoor.OSX.MaControl.a. Also in March a new modification of the malicious program Backdoor.OSX.Imuler was detected. Malicious programs belonging to this family are spread under the cover of files with safe extensions. During the March attack, cybercriminals distributed spam containing malicious files that were masked as erotic images with .JPG extensions. Another first in March was malicious programs using Twitter as a command and control server. To distribute these malicious programs cybercriminals used 200,000 hacked blogs operating under WordPress. » www.kaspersky.com/about/ ··· _Android |
|
| |
to JSR2012
said by JSR2012 :Ah ha - Kaspersky for MAC just found:
Trojan.Win32.inject.dso
I cannot find anything apart from 1 website referencing this, any ideas? Thanks again.
A windows trojan should not affect OSX. |
|
Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI
2 edits |
That is obvious..most likely it was the MAC version but called out by the Kaspersky for MAC as the w32.inject...might be nice to post list of the actual files it found infected..not just the generic name of the exploit. Kaspersky Virus Scanner Kaspersky Virus Scanner from the Mac App Store, you need a Mac with OS X 10.6.6 or later.
Description
Kaspersky Virus Scanner is designed to protect Mac users against all types of malware. It detects and, when possible, removes both Mac and non-Mac malware using recent anti-virus database, which is automatically updated to ensure you are protected against the latest threats. Tuned for optimal memory footprint, it consumes no CPU processing » itunes.apple.com/us/app/ ··· 27?mt=12 |
|
