incident response need help

Discussion in 'other security issues & news' started by lunarlander, Jul 17, 2015.

  1. lunarlander

    lunarlander Registered Member

    Apr 30, 2011

    I did a tcpdump of network traffic and noticed traffic to a dsl address belonging to my ISP. This is upon starting up of my Windows 7 machine, without logging in. And the traffic is outgoing. I phoned my ISP and asked and they don't run any proxy servers. Here is what I saw:

    2015-07-16 23:49:23.500883 IP > Flags seq 3554008527, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

    So, I assume that this is an attack that has installed something.

    I downloaded gnu grep onto the Windows 7 box and did a search for "206.248" and found nothing. And foolishly, I assumed at first that it might have something to do with my accounts and rebuilt them; deleting old account contents. So I might have erased some evidence. And I watched tcpdump again and found the same traffic again.

    This is getting serious, and looks like a root kit.

    So I booted with a Linux LIveCD and did a grep for the same thing and found nothing.Unfortunately I couln't search System Volume Info, as my LiveCD ran out of memory. So I cleared all the restore points. And I did a tcpdump again. The traffic still there. That was the snippet I have shown above.

    At this point I am at a loss of what to try next.
    Last edited: Jul 17, 2015