abnormal connection

Shinyaw Chua · ‎03-23-2004

I observed a lot abnormal connection in PIX log file, but not sure what kind of attack or virus, if you have seen this or experienced about the symptoms, would appreciated it, if you could send me a mail.

Symptoms : the port number is increasing sequentially. 192.25.42.232 is a pix outside interface.

07:45:59 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1197 to outside:/57294

07:45:59 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1198 to outside:192.25.42.232/57295

07:46:00 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1199 to outside:192.25.42.232/57296

07:46:00 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1200 to outside:192.25.42.232/57297

07:46:00 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1201 to outside:192.25.42.232/57298

07:46:01 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1202 to outside:192.25.42.232/57299

07:46:01 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1203 to outside:192.25.42.232/57300

07:46:01 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1204 to outside:192.25.42.232/57301

07:46:02 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1205 to outside:192.25.42.232/57302

07:46:03 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1206 to outside:192.25.42.232/57303

07:46:03 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1207 to outside:192.25.42.232/57304

07:46:03 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1208 to outside:192.25.42.232/57305

07:46:04 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1209 to outside:192.25.42.232/57306

07:46:04 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1210 to outside:192.25.42.232/57307

07:46:04 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1211 to outside:192.25.42.232/57308

07:46:05 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1212 to outside:192.25.42.232/57309

07:46:05 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1213 to outside:192.25.42.232/57310

07:46:05 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1214 to outside:192.25.42.232/57311

07:46:06 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1215 to outside:192.25.42.232/57312

07:46:06 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1216 to outside:192.25.42.232/57313

07:46:06 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1217 to outside:192.25.42.232/57314

07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1219 to outside:192.25.42.232/57315

07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1220 to outside:192.25.42.232/57316

07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1221 to outside:192.25.42.232/57317

07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1222 to outside:192.25.42.232/57318

Regards

ShinYaw

gfullage · ‎03-23-2004

Certainly looks like 146.223.175.41 is infected with some kind of worm, where it's trying to find other hosts to infect.

If you don't have any virus protection software on this machine, get some.

Alternatively, go to http://vil.nai.com/vil/averttools.asp and download the latest version of stinger, this'll detect and remove all of the latest worms/trojans from this machine.