Strange traffic over ISDN on many TCP ports

[2ElleSoft]

Hi everybody, I hope somebody can help me because I'm getting crazy
with this problem.
My network is connected to internet through a Cisco ISDN router. I have
a PD Win2K server and many WinXP and Win2K clients. The server is
always on and now it makes no internet traffic, but as soon as I turn
on one client and it arrives at the login window the ISDN line is up
and it never goes down, until I shut down my client.

I used ethereal to sniff the network traffic. I'm not expert, but I
noticed a strange thing: there are repeating calls to 7-8 unidentified
ip addresses where the TCP port number is always different, in a range
between 1039 and 1181:
207.46.20.93: 1083
A 206.24.233.62: 1085
A 206.24.233.62: 1086
B 208.172.64.254: 1087
B 208.172.64.254: 1088
C 67.29.176.254: 1089
C 67.29.176.254: 1090
A 206.24.233.62: 1092
B 208.172.64.254: 1093
........
I marked with the same letter the same IP addresses.
The client is at the USER LOGIN window so there are only the basic
services started and there should be no activity.

Any idea?
Thanks for your help
Stefano

 

[3c273]

Login and use TCPView from www.sysinternals.com (freeware) to see what
process is connecting.
Louis

 

[Andrei Ungureanu]

most probably a worm.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

 

[2ElleSoft]

Thanks for your help.

Andrei Ungureanu ha scritto:

most probably a worm.

Yes a worm/backdoor/trojan is my same idea.
Thanks

Stefano

 

[2ElleSoft]

Login and use TCPView from www.sysinternals.com (freeware) to see what
process is connecting.
Louis

Louis thanks for your suggest. I tried TCPView, I think it is very
useful.
This is the result:

ccApp.exe:1732 TCP Tecnico1:1077 Tecnico1:0 LISTENING
FTPServer.exe:1096 TCP Tecnico1:5133 Tecnico1:0 LISTENING
lsass.exe:1264 UDP Tecnico1:isakmp *:*
lsass.exe:1264 UDP Tecnico1:1028 *:*
LUCOMS~1.EXE:3716 TCP Tecnico1:1151 Tecnico1:0 LISTENING
LUCOMS~1.EXE:3716 TCP tecnico1.com-moimacco.local:1151 213.254.212.70:http SYN_SENT
msmsgs.exe:2280 TCP tecnico1.com-moimacco.local:12358 Tecnico1:0 LISTENING
msmsgs.exe:2280 UDP Tecnico1:1080 *:*
msmsgs.exe:2280 UDP tecnico1.com-moimacco.local:9926 *:*
msmsgs.exe:2280 UDP tecnico1.com-moimacco.local:56699 *:*
nsapp.exe:2756 UDP Tecnico1:1101 *:*
Rtvscan.exe:744 TCP Tecnico1:2967 Tecnico1:0 LISTENING
spoolsv.exe:184 UDP Tecnico1:1044 *:*
spoolsv.exe:184 UDP Tecnico1:1127 *:*
svchost.exe:1452 TCP Tecnico1:epmap Tecnico1:0 LISTENING
svchost.exe:1544 TCP Tecnico1:1025 Tecnico1:0 LISTENING
svchost.exe:1544 UDP Tecnico1:ntp *:*
svchost.exe:1544 UDP tecnico1.com-moimacco.local:ntp *:*
svchost.exe:1544 TCP Tecnico1:1150 Tecnico1:0 LISTENING
svchost.exe:1544 TCP tecnico1.com-moimacco.local:1150 206.24.233.62:http SYN_SENT
svchost.exe:1544 UDP Tecnico1:1149 *:*
svchost.exe:1724 UDP Tecnico1:1026 *:*
svchost.exe:1724 UDP Tecnico1:1027 *:*
svchost.exe:1756 TCP Tecnico1:5000 Tecnico1:0 LISTENING
svchost.exe:1756 UDP Tecnico1:1900 *:*
svchost.exe:1756 UDP tecnico1.com-moimacco.local:1900 *:*
System:4 TCP Tecnico1:microsoft-ds Tecnico1:0 LISTENING
System:4 TCP Tecnico1:1082 Tecnico1:0 LISTENING
System:4 TCP tecnico1.com-moimacco.local:netbios-ssn Tecnico1:0 LISTENING
System:4 TCP tecnico1.com-moimacco.local:1061 Tecnico1:0 LISTENING
System:4 TCP tecnico1.com-moimacco.local:1061 dcmoimacco:netbios-ssn ESTABLISHED
System:4 UDP Tecnico1:microsoft-ds *:*
System:4 UDP tecnico1.com-moimacco.local:netbios-ns *:*
System:4 UDP tecnico1.com-moimacco.local:netbios-dgm *:*
winlogon.exe:1208 UDP Tecnico1:1049 *:*

I'll have to discover why there is an (active) FTP server in this PC,
very strange because the user completely ignores what an FTP is.
Ok for LUCOMS~1.EXE and RTVSCAN.EXE because there is Symantec AV
corporate edition.
I don't like very much all of these SVCHOST.EXE, I know it is a
Microsoft service, but...

Can you see something I didn't see?

Stefano

 

[3c273]

I would definitely find out where FTPServer.exe came from. Unfortunately,
Google says it is a valid filename for some FTP programs and a valid
filename for some trojans. Also, you may want to uncheck the "Resolve
Addresses" entry on the options menu and look for the ip addresses from your
original post. Good luck.
Louis

 

[Andrei Ungureanu]

Install an antivirus program on the infected computers. Or if not, do a
search after FTPServer.exe file on your computer and see where is located.
Copy this file on a computer with an AV installed, scan it and figure out
with what kind of virus are you dealing with; then get a removal tool for
this virus.

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au