Author Topic: Unknown Virus/Trojan bcast from port 6001 to port 6000  (Read 3984 times)

0 Members and 1 Guest are viewing this topic.

Offline masterdebugger

  • Newbie
  • *
  • Posts: 7
  • What did you break today?
Unknown Virus/Trojan bcast from port 6001 to port 6000
« on: August 25, 2006, 10:28:55 PM »
Have a real bad case of flood bcast to 255.255.255.255:6000 from many of our computers on our corporate network. Avast is installed on ALL machines & servers and did not prevent this infectation nor can it detect it. From our firewall logs we can see that over a Million bcase per hour were sent in our network.

Only reference that we found on the web is for a backdoor that was listening on port 6000. Well, this one is looking for these backdoor. Bcast always orginate from port 6001 and are sent many times over a short period of time (like 60+ times in a few seconds). With a dozen or so machines infected our network is now useless.

All attempts to identify the culprit has yielded no results. We tried RootkitRevealer, Avast!Pro full scam, and Hijack this. Not a single questionable process was found.

Our logs show first occurence of this back in March 2006. We still have no clue what we're up against.

Has Avast! been working on this stealth virus? Is there a cure coming soon ? Our users lost most of today (Friday) and I need everything back on-line for Monday morning.

RSVP!

Help anyone?

thanks - Robert

Offline polonus

  • Avast √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 31879
  • malware fighter
Re: Unknown Virus/Trojan bcast from port 6001 to port 6000
« Reply #1 on: August 26, 2006, 12:15:27 AM »
Hi masterdebugger,

Now there isn't much you can do against a Trinoo or a Smurf attack, but there is a way to make it ineffective.

To prevent your network from being used to flood (using up almost all your bandwith therefore creating a denial of service upon yourself.. technically) is quite easy and not a great loss to your network.  If you filter all incoming icmp traffic to the broadcast address at the router none of the machines will respond therefore the attack will not work.  This can be done with one line in the router...

client# X :1 -query RIP (overwrites it)
 --------------
if [ -f "$startup" ]; then
        exec "$startup"
else
        if [ -f "$resources" ]; then
                xrdb -load "$resources"
        fi
        #exec xsm
        exec /usr/X11/bin/fvwm2
fi
-------------------------

Furthermore consider this info on these matters: http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.multi-port.html



polonus
« Last Edit: August 26, 2006, 12:34:06 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline masterdebugger

  • Newbie
  • *
  • Posts: 7
  • What did you break today?
Re: Unknown Virus/Trojan bcast from port 6001 to port 6000
« Reply #2 on: August 26, 2006, 07:17:46 PM »
Sorry, I forgot to specify that we are using a Windows network.

Anyway, I found the culprit that has been flooding my network and basically brought verything to a grinding halt.

It is a little program called AvAgent.exe

An internet search told me that it belongs to Avast!  :o

We reformated one of our Windows server back in May (3 months ago) and have not rebooted most machines since then. Our technician "forgot" to re-install the Avast! Management. After some maintenance on another server on Thursday night, we had everyone reboot on Friday morning. That's when all hell broke loose. Only a few of the 100+ machines on our network were configured with the Management. Most were installed using the regular install.

The ADNM documentation claims that the client will try to connect to installation server, and if not found will send a broadcast and wait for an answer... Well I beg to differ, my syslogs shows client machines broadcasting floods of "where are you"... I'v seen tons of these and my network statiscics showed over a 1.3 million packets PER HOUR of traffic on a network that is normally slightly busy but was unusabled at that time.

On another note, I tried installing the ADNM (setup_adnm.exe) and it only copies some of the files and aborts with not windows ever poping up and no error. Tryied the cleaner and re-install to no avail. Tried a different server - same bad result. No executable gets installed, but the directory structure is created in c:\program files\Avast4...

This was tried on two (2) different Windows 2003 Server. Both are patch current. Documentation talks about setup_av_mgm but I never found that anywhere.

Help please !

Offline Spiritsongs

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1757
  • Ad-aware orientated Support forum(s)
Re: Unknown Virus/Trojan bcast from port 6001 to port 6000
« Reply #3 on: August 26, 2006, 08:11:39 PM »
 :)  Hi Robert :

      Based on what I have read, it appears your request
      should be in one of the other forums, such as :

      http://forum.avast.com/index.php?board=10.0

                         OR

      http://forum.avast.com/index.php?board=8.0   !?
     
For the Best in what counts in Life :
www.tacf.org