Syn Flood

Christopher_Bird · March 26, 2003, 3:55am

I have a problem on a home PC of all things. Every once in a while it bursts into life and syn floods an IP address on port 80. The IP addresses it chooses are random and varied. The network counters ratchet up alarmingly (as viewed in the connections window). I am running winXP Pro on this box.

I have zone alarm, an SMC Barricade firewall, and Norton anti virus.

I don’t seem to be able to catch the computer at it, I just have the evidence after the event. I don’t like the anti social behavior that this is exhibiting and am wondering if the collective wisdom of this group might have any ideas how to track the issue down.

According to virus checkers, I am clean.

Thanks in advance

Chris Bird

Johannes_Ullrich · March 26, 2003, 4:06am

I would look for something like an IRC bot. Zonealarm may not
catch it if it is on there for a while and some user 'permitted'
it at some point. Usually, these bots have names to sound like
system binaries. Anti virus software may not catch the agent.

Do you have any full packet captures from the system? Any traffic
that could be control traffic (doesn't have to go to port 6667)

Ron_Harris · March 26, 2003, 4:12am

I had success on several computers catching IRC Bots with SwatIT, which is free.

http://www.lockdowncorp.com/

Ron

Jack_Bates · March 26, 2003, 4:22am

Christopher Bird wrote:

I have zone alarm, an SMC Barricade firewall, and Norton anti virus.

Ahhh, but do you have Ad-Aware?

Michael_Painter · March 26, 2003, 5:22am

I have a problem on a home PC of all things. Every once in a while it
bursts into life and syn floods an IP address on port 80. The IP
addresses it chooses are random and varied. The network counters ratchet
up alarmingly (as viewed in the connections window). I am running winXP
Pro on this box.

You might want to let a prog. such as TCP View (free) run while you're idle. Beats trying to get netstat to capture it, imo.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Also, close everything you can and look at what Processes are running. Some of these things are hard to spot...I was infected and
the offender was named "Iexplorer.exe", while the real IE is named IEXPLORE.exe and the real Explorer is named Explorer.exe.

Here's another free prog. which aids in tying a process to what's running it.

http://www.xmlsp.com/pview/prcview.htm

These "trojans" don't seem to be caught by some Anti-Virus programs...at least AVG didn't catch mine. I ended up searching google
for Iexplorer.exe and found (5 pages deep a year ago) an obscure thread which had part of the solution for removal. I then searched
the HD for any files created at the same time and found the rest of the (by then morphed) creature.

Good luck.

--Michael

Michael_Lewinski · March 26, 2003, 5:26am

Ron Harris wrote:

I had success on several computers catching IRC Bots with SwatIT, which is
free.

http://www.lockdowncorp.com/

I would recommend that anyone who considers using Lock Down's software be aware of the content here:

http://www.pc-help.org/www.nwinternet.com/pchelp/lockdown/index.html

In short, the owner of pc-help.org was sued by Lock Down when he exposed their false advertising claims.

Lock Down lost their suit:

http://www.pc-help.org/suit/

Mike