[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details

possible rootkit - sequential ip scan

Asked by pc-cyt in HijackThis Software, Anti-Virus, Miscellaneous Security

Tags: rootkit

I have an interesting thing going on...
Wireshark is showing I have about 12 icmp requests being sent every second from one of my servers (win 2008 64bit SBS FE)
The src ip is the lan card in the server, the destination ip keeps incrementing by 1 each scan.

I've tried tcpview, but that doesn't seem to show icmp?
I've tried MS Netmon 3.3, that shows the traffic, but 'unknown' process
Full malware bytes scan is clean
Panada Corporate Scan is clean

Kaspersky AVZ4 (script 2 comes back clean)

I'm thinking either the src ip is spoofed?  or i have a rootkit hiding somewhere

Any one got ideas how to find out which process is generating this traffic?
[+][-]11/06/09 07:16 AM, ID: 25759795Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/06/09 07:17 AM, ID: 25759805Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/06/09 07:40 AM, ID: 25760016Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/06/09 10:11 AM, ID: 25761484Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/06/09 10:59 AM, ID: 25761971Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/06/09 04:33 PM, ID: 25764346Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/09/09 08:07 AM, ID: 25777129Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/09/09 08:09 AM, ID: 25777157Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-89 - Hierarchy / EE_QW_3_20080625