How about using a packet sniffer? That might give you a clue as to where it's really coming from.
Regards Tim Sutton IT Systems Manager Troup Bywaters & Anders Eastgate House 10 Eastgate LEEDS LS2 7JL Tel: 01132432241 Fax: 01132424024 E-mail: [EMAIL PROTECTED] Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and/or confidential information. If you have received this transmission in error. please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. -----Original Message----- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: 23 December 2004 16:30 To: [email protected] Subject: RE: [ActiveDir] worm (very very OT) we're a switched network. i'd have to go to every pc(500) and run it. i'm trying to avoid that. might as well run netstat -an on all pc's. ethereal won't tell me the real address. thanks -----Original Message----- From: Candee Vaglica [mailto:[EMAIL PROTECTED] Sent: Thursday, December 23, 2004 11:16 AM To: [email protected] Subject: Re: [ActiveDir] worm (very very OT) Use a network scanner, like Ethereal to monitor the traffic. On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom <[EMAIL PROTECTED]> wrote: > this is way off and i apologize but you guys are really knowledgable and such a great help, i thought i'd try here. > > i have a number of pc's infected with some wom that goes out on port 10000 tcp and tries to attemp a DOS attack. > > I don't know the worm and a google searched didn't really turn anything up. > > here's the thing. the worm uses a spoofed source address. my question is, is there anyway to track down a spoofed address internally to the real address? > > I don't know how to find the infected pc's. > > thanks > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Groupshield 6.0 - Troup Bywaters & Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
