I have a concern that a VPN client workstation might have a worm. But only based FireGen reporting tools.
Here is a sample of the protocols being used by the client for 1 day. They use Cisco VPN Client to remote in and then use Ultra VNC to stumble around. It is one of my operators so I can just reghost her machine but the Trojan and agobot-worm only talk we my DC's. My feeling is that this is a false positive Because the virii scanner is up to date, spybot is up to date, and I ran an agobot scanner and found nothing. Anyways, has anyone seen this kind of activity on their Windows 2003 Networks using Windows XP clients? Used protocols: - Go to top <file:///C:\Program%20Files\FireGenPix2\html\ip-2009-01-29-093124-ipfore nsics-192_168_100_7.html#top#top> Service First used Last used Connections Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> UDP/138 <http://www.eventid.net/displayprot.asp?protocol=138> ) Jan 28 2009 00:30:29 Jan 28 2009 23:48:47 373 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> UDP/137 <http://www.eventid.net/displayprot.asp?protocol=137> ) Jan 28 2009 01:22:46 Jan 28 2009 23:54:37 320 Protocol: ldap ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ldap> UDP/389 <http://www.eventid.net/displayprot.asp?protocol=389> ) Jan 28 2009 01:39:52 Jan 28 2009 23:55:47 174 Protocol: dns ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=dns> UDP/53 <http://www.eventid.net/displayprot.asp?protocol=53> ) Jan 28 2009 03:00:07 Jan 28 2009 23:55:47 163 Protocol: TCP/82 <http://www.eventid.net/displayprot.asp?protocol=82> Jan 28 2009 04:39:02 Jan 28 2009 23:54:23 132 Protocol: kerberos ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=kerberos> TCP/88 <http://www.eventid.net/displayprot.asp?protocol=88> ) Jan 28 2009 06:09:05 Jan 28 2009 23:55:49 126 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> TCP/445 <http://www.eventid.net/displayprot.asp?protocol=445> ) Jan 28 2009 06:09:04 Jan 28 2009 23:55:47 92 Protocol: ms rpc ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ms%20rpc> TCP/135 <http://www.eventid.net/displayprot.asp?protocol=135> ) Jan 28 2009 00:05:37 Jan 28 2009 23:44:49 43 Protocol: netbios ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=netbios> TCP/139 <http://www.eventid.net/displayprot.asp?protocol=139> ) Jan 28 2009 06:33:02 Jan 28 2009 23:48:47 43 Protocol: agobot-worm ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=agobot-worm> TCP/1025 <http://www.eventid.net/displayprot.asp?protocol=1025> ) Jan 28 2009 06:39:59 Jan 28 2009 23:44:50 29 Protocol: trojan ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=trojan> TCP/1026 <http://www.eventid.net/displayprot.asp?protocol=1026> ) Jan 28 2009 06:30:27 Jan 28 2009 23:15:26 19 Protocol: ldap ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=ldap> TCP/389 <http://www.eventid.net/displayprot.asp?protocol=389> ) Jan 28 2009 06:46:44 Jan 28 2009 22:46:01 2 Protocol: vnc ( <http://www.eventid.net/displayprot.asp?protocol=*&keyword=vnc> TCP/5900 <http://www.eventid.net/displayprot.asp?protocol=5900> ) Jan 28 2009 21:31:05 Jan 28 2009 21:31:05 1 This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
