perform an etherreal capture and a pslist on that box too.... is this the first sign of the JPEG worm?
exibar ----- Original Message ----- From: "Harlan Carvey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Bernardo Santos Wernesback" <[EMAIL PROTECTED]> Sent: Monday, September 27, 2004 3:07 PM Subject: Re: [Full-Disclosure] New virus? > Bernardo, > > Do you have access to this machine, either physically > or remotely (as an admin)? If so, have you pulled any > data from the system to see what's going on? > > --- Bernardo Santos Wernesback <[EMAIL PROTECTED]> > wrote: > > > Hi everyone, > > > > Has anyone seen a lot of HTTP activity to a certain > > site: > > http://www.fotosgratis.pop.com.br ? > > > > One of our clients has several machines making tons > > of requests for TXT > > files on that server: > > > > botao.txt > > mswinsck.txt > > ita01.txt > > caixa01.txt > > teclado07.txt > > caixa01.txt > > caixa02.txt > > caixa03.txt > > caixa04.txt > > caixa05.txt > > > > Thanks for any info., > > > > > _____________________________________________________ > > > > Bernardo Santos Wernesback > > > > > > > > ESSE,ESS,SCSE,CCNA/DA, > > > > CCSA,CQS,MCP > > > > > > > > Consultant / ISH Tecnologia > > > > > > > > Phone: +55-27-3334-8900 > > > > Mobile: +55-27-8111-0884 > > > > Email: [EMAIL PROTECTED] > > > > PGP Fingerprint: > > 6A42 3701 70D7 FD0F 5FA9 D232 CDD4 6189 EF43 > > 95F5 > > > > > > > > > ===== > ------------------------------------------------------------------------ > Harlan Carvey, CISSP > "Windows Forensics and Incident Recovery" > http://www.windows-ir.com > http://groups.yahoo.com/group/windowsir/ > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
