I took a further look at the Win2K workstation to see what was going on. There is no virus infecting the computer. I looked all over the computer, in the task manager, Services folder, event viewer, and no virus shows up. The virus software shows nothing for a long time. Web server is turned off. MSN Messenger hasn't even been used in weeks. The computer has only been used for web browsing, and local applications like Adobe PhotoShop,Illustrator, and Quicken.
The one issue I did find on the computer was the C-Dilla service, which may, or may not, have sent out communication to a vendor. I looked up info on it, and there's several people upset because it is software installed without permission when you install TurboTax (and some other software), and it supposedly manages copyrights. From what I read, it wasn't clear if it sent out network packets or not. I understand that 66.232.154.8 is being dropped because I forced it to be dropped by blacklisting (I should have explained that; but I did miss that it was a response, was looking at the formatted log file, not the raw data, now I know better) because previously I had noticed an a great deal of connection attempts between that site and one of my computers. I just took it back off the blacklist, and when I connect to the server, using port 80, it had an unfinished Apache server installation on it (which doesn't mean much except port 80 is open and unused on the computer). Sounds like something on the Win2k box initiated communication at some time in the past, and 66 still wants to communicate, and maybe it may be a mystery why it is still going on(or maybe you have an answer). Could a response be easily faked (not saying this is the case here, but wanting to know)? I'd still like to know how to differentiate hacker "attacks" or attempts at penetration into my network, and other innocuous traffic. Are they frequent, or are they pretty rare? I've seen some activity in the log file, where the source IP address is attempting connection (not in response, a new connection), and will try at that IP address for a few attempts changing the destination ports, and then a new source IP address will appear in the log, and the entries will mimic the previous entries by going through a set of destination ports. I wish I had an example of this in my log file, but I don't as of now. I've seen some MS-SQL related ports, and I've assumed that's random traffic. When I had Verizon, I noticed they had Netbios packets going everywhere, which I blocked out, assuming again that that was just wasteful, useless traffic. Thanks for the asssistance and feedback. bpk On Wed, 2004-06-30 at 06:33, Tom Eastep wrote: > Brad Klinghagen wrote: > > This isn't the full format of the log file. I sent the full file to Tom > > Eastep to look at. As for virus, doubtful, since the computer is running > > the latest version of Symantec Anti-Virus 2004 and get updates whenever > > available (initiates the updates). > > Nevertheless, it appears that 10.1.1.65 is trying to connect to > 66.232.154.8 and not the other way around! Your log is full of dropped > SYN,ACK packets which 66.232.154.8 would return in response to a SYN > from 10.1.1.65. > > -Tom ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
