Author Topic: HELP with 68.178.232.99  (Read 5186 times)

0 Members and 1 Guest are viewing this topic.

February 02, 2010, 10:00:21 pm
Read 5186 times

amyinva

  • Newbie

  • Offline
  • *

  • 1
We have been seeing various hosts on our networks attempting contact to 68.178.232.99. These attempts are for ports 80, 445, 137, 427 and we have DNS hijacking on a few hosts that causes everything to resolve to the above IP even with hard coding the DNS.

McAfee, Symantec, and trend micro do not show any sort of infection. Our network web filtering is showing a trojan of w32.zbot, but there aren't any hosts with any updated virus scanning programs that show a problem.

We have searched the registry for these IPs and some of the PCs found them and saw a process running on a hpnp. Once stopping the service and deleting the registry entry those PC's no longer communicated.

We are unable to find the IP or service that is causing this traffic anywhere on our AD servers, but do see the IP from wireshark when plugged into a hub. Additionally on the DNS hijacked machines we are not able to get this activity to cease, and it occurs on both a broadband card access and local network.

Please advise of any options we can try.


February 09, 2010, 12:01:38 pm
Reply #1

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
first of all a temporary workaround -could- be to drop every connection to this ip with a hard firewall or a soft firewall on the gateway (or something like that)

run some tools on the infected machines like rootkit revealer and hijackthis and analyze the output.

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html
http://free.antivirus.com/hijackthis/

regards
ocean