B
bradley.bill
Hey All,
I am having what looks to be some kind of RPC worm problem that I
cannot find the answer to.
Yesterday i noticed a ton of firewall connections coming from 7
different subnets inside my private network out to the Internet all
going to port 135 on the following the address 68.178.232.99. I did a
whois lookup and this is a parked domain with godaddy.com. I called
them and they block traffic to 135 at their firewall so they were not
concerned. I was though...no telling what this thing is doing. I
remote desktopped into one of the machines and ran netstat -ano
|findstr ":135" and looked up the PID in the task manager and it was
one of the svhost.exe processes making the the connection. To dig
further, I installed Sysinternals Process Explorer and was able to see
that the machine is making multiple connections from diff local ports
(all to 68.178.232.99:135. At this point I was thinking it was some
kind of Blaster variant/Trojan/Spyware. However no know tool can find
anything. I have tried the following:
Symantec, Norton AV, AVG, Windows One Care, Windows Defender, HiJack
this, TrendMicro online scanning, Symantec Blaster Removal, Windows
Maliscious Software Removal Tool.
None of these detected a thing. The system in question is running XP
SP2 with all the latest updates and has Auto Update turned on. The
process is starting up right after a user logs in and runs until
logout. I installed Wireshark (open source sniffer) and ran some
packet captures. Here are some of the things it is doing:
Issuing 1 byte TCP Keep Alive requests from port 1911 to port 135 on
68.178.232.99.
Issuing 20 and 4 byte TCP Syn/Acks to 68.178.232.99 and recieving
replys back from.
Makes HTTP get request to 68.178.232.99 for wpad.dat (which isnt there,
the site redirects to a park domain page at godaddy.com) I can see the
ascii of the html layout of the page in the dump.
I called MS and spoke to someone at their "PC Safety Virus and Spyware"
center. Let's just say, he wasn't very helpful. After an hour of him
putting me on hold and having to explain what was going on like 10
times, he told me to call my SysAdmin (I am the sysadmin!) and then to
call the main MS Customer Service number. That was a loooot of fun.
I could just block this all at my firewall (I have a 37 site frame
network that all routes through one central office), but I want to know
what this is and what it is doing. I have exhausted all of my other
geek resources locally and googled til my fingers bled.
Any ideas?
Thanks,
B.
PS...sorry for the long post
I am having what looks to be some kind of RPC worm problem that I
cannot find the answer to.
Yesterday i noticed a ton of firewall connections coming from 7
different subnets inside my private network out to the Internet all
going to port 135 on the following the address 68.178.232.99. I did a
whois lookup and this is a parked domain with godaddy.com. I called
them and they block traffic to 135 at their firewall so they were not
concerned. I was though...no telling what this thing is doing. I
remote desktopped into one of the machines and ran netstat -ano
|findstr ":135" and looked up the PID in the task manager and it was
one of the svhost.exe processes making the the connection. To dig
further, I installed Sysinternals Process Explorer and was able to see
that the machine is making multiple connections from diff local ports
(all to 68.178.232.99:135. At this point I was thinking it was some
kind of Blaster variant/Trojan/Spyware. However no know tool can find
anything. I have tried the following:
Symantec, Norton AV, AVG, Windows One Care, Windows Defender, HiJack
this, TrendMicro online scanning, Symantec Blaster Removal, Windows
Maliscious Software Removal Tool.
None of these detected a thing. The system in question is running XP
SP2 with all the latest updates and has Auto Update turned on. The
process is starting up right after a user logs in and runs until
logout. I installed Wireshark (open source sniffer) and ran some
packet captures. Here are some of the things it is doing:
Issuing 1 byte TCP Keep Alive requests from port 1911 to port 135 on
68.178.232.99.
Issuing 20 and 4 byte TCP Syn/Acks to 68.178.232.99 and recieving
replys back from.
Makes HTTP get request to 68.178.232.99 for wpad.dat (which isnt there,
the site redirects to a park domain page at godaddy.com) I can see the
ascii of the html layout of the page in the dump.
I called MS and spoke to someone at their "PC Safety Virus and Spyware"
center. Let's just say, he wasn't very helpful. After an hour of him
putting me on hold and having to explain what was going on like 10
times, he told me to call my SysAdmin (I am the sysadmin!) and then to
call the main MS Customer Service number. That was a loooot of fun.
I could just block this all at my firewall (I have a 37 site frame
network that all routes through one central office), but I want to know
what this is and what it is doing. I have exhausted all of my other
geek resources locally and googled til my fingers bled.
Any ideas?
Thanks,
B.
PS...sorry for the long post