incident response need help

Discussion in 'other security issues & news' started by lunarlander, Jul 17, 2015.

  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Hi,

    I did a tcpdump of network traffic and noticed traffic to a dsl address belonging to my ISP. This is upon starting up of my Windows 7 machine, without logging in. And the traffic is outgoing. I phoned my ISP and asked and they don't run any proxy servers. Here is what I saw:

    2015-07-16 23:49:23.500883 IP cde.myboxes.box.49186 > 206-248-168-168.dsl.teksavvy.com.http: Flags seq 3554008527, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

    So, I assume that this is an attack that has installed something.

    I downloaded gnu grep onto the Windows 7 box and did a search for "206.248" and found nothing. And foolishly, I assumed at first that it might have something to do with my accounts and rebuilt them; deleting old account contents. So I might have erased some evidence. And I watched tcpdump again and found the same traffic again.

    This is getting serious, and looks like a root kit.

    So I booted with a Linux LIveCD and did a grep for the same thing and found nothing.Unfortunately I couln't search System Volume Info, as my LiveCD ran out of memory. So I cleared all the restore points. And I did a tcpdump again. The traffic still there. That was the snippet I have shown above.

    At this point I am at a loss of what to try next.
     
    Last edited: Jul 17, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.