03-23-2004 07:24 PM - edited 03-09-2019 06:51 AM
I observed a lot abnormal connection in PIX log file, but not sure what kind of attack or virus, if you have seen this or experienced about the symptoms, would appreciated it, if you could send me a mail.
Symptoms : the port number is increasing sequentially. 192.25.42.232 is a pix outside interface.
07:45:59 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1197 to outside:/57294
07:45:59 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1198 to outside:192.25.42.232/57295
07:46:00 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1199 to outside:192.25.42.232/57296
07:46:00 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1200 to outside:192.25.42.232/57297
07:46:00 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1201 to outside:192.25.42.232/57298
07:46:01 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1202 to outside:192.25.42.232/57299
07:46:01 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1203 to outside:192.25.42.232/57300
07:46:01 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1204 to outside:192.25.42.232/57301
07:46:02 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1205 to outside:192.25.42.232/57302
07:46:03 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1206 to outside:192.25.42.232/57303
07:46:03 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1207 to outside:192.25.42.232/57304
07:46:03 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1208 to outside:192.25.42.232/57305
07:46:04 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1209 to outside:192.25.42.232/57306
07:46:04 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1210 to outside:192.25.42.232/57307
07:46:04 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1211 to outside:192.25.42.232/57308
07:46:05 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1212 to outside:192.25.42.232/57309
07:46:05 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1213 to outside:192.25.42.232/57310
07:46:05 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1214 to outside:192.25.42.232/57311
07:46:06 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1215 to outside:192.25.42.232/57312
07:46:06 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1216 to outside:192.25.42.232/57313
07:46:06 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1217 to outside:192.25.42.232/57314
07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1219 to outside:192.25.42.232/57315
07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1220 to outside:192.25.42.232/57316
07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1221 to outside:192.25.42.232/57317
07:46:07 %PIX-6-305011: Built dynamic TCP translation from nap:146.223.175.41/1222 to outside:192.25.42.232/57318
Regards
ShinYaw
03-23-2004 09:00 PM
Certainly looks like 146.223.175.41 is infected with some kind of worm, where it's trying to find other hosts to infect.
If you don't have any virus protection software on this machine, get some.
Alternatively, go to http://vil.nai.com/vil/averttools.asp and download the latest version of stinger, this'll detect and remove all of the latest worms/trojans from this machine.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: