From: Scott S. <ss...@sg...> - 2011-01-24 20:52:54
|
on 1/23/2011 10:05 PM Jamie Klein spake the following: > Hello, > > I was looking at our proxy logs (see below) and saw what I think is unusual > access patterns for one of our green clients. This is happening with no > browser windows open on the client. Client is WinXP. I did various things > on the client, such as virus scan, spyware scan, went through startup > services and stopped most of them, used msconfig to stop basically > everything except basic services to keep network running and the behaviour > continues as long as internet is available to client. I stopped too many > services at times so that the clients network connection was disabled. This > fixed the behaviour, but obviously not the cause. > > I have given up. Maybe the behaviour is normal and someone can tell me so, > but it doesn't look normal to me. I also downloaded some of the "conf.au" > files that the client is connecting to. All the ones I downloaded are > identical and open in a text editor as a small text string. The impact of > this behaviour on our bandwidth etc. is negligible, but it is filling my > proxy logs up with all this junk. > > Also googled "conf.au" and some of the domain names that the client is > connecting to but no-one else seems to have similar issues. That is why I > am doubting myself here. Maybe this is normal?? > > Brief explanation of behaviour is that the client accesses the same few URLs > over and over. The URLs seem to be totally unrelated to each other except > that they all contain the identical file "conf.au" > > Extract from proxy log... > > 14:58:05 192.168.0.60 > http://www.blackdiamondmotorcycletours.com/pics/conf.au > 14:58:25 192.168.0.60 http://www.adrianosfigtrees.com/adrianmedia/conf.au > 14:58:25 192.168.0.60 http://www.advertisemints.com/minimints/images/conf.au > > 14:58:25 192.168.0.60 http://www.advertisemints.com/minimints/images/conf.au > > 14:58:27 192.168.0.60 http://www.advertisemints.com/minimints/images/conf.au > > 14:58:27 192.168.0.60 http://www.advertisemints.com/minimints/images/conf.au > > 14:58:34 192.168.0.60 http://www.africanappeal.com/images/conf.au > 14:58:34 192.168.0.60 http://www.beyondbellydance.com/site_images/conf.au > 14:58:34 192.168.0.60 > http://www.blackdiamondmotorcycletours.com/pics/conf.au > 14:58:37 192.168.0.60 http://www.google.com.au/ > 14:58:40 192.168.0.60 http://www.aerographicsusa.com/images/conf.au > 14:58:55 192.168.0.60 http://www.adrianosfigtrees.com/adrianmedia/conf.au > 14:58:55 192.168.0.60 http://www.advertisemints.com/minimints/images/conf.au > > 14:59:04 192.168.0.60 http://www.africanappeal.com/images/conf.au > 14:59:04 192.168.0.60 http://www.beyondbellydance.com/site_images/conf.au > 14:59:04 192.168.0.60 > http://www.blackdiamondmotorcycletours.com/pics/conf.au > 14:59:10 192.168.0.60 http://www.aerographicsusa.com/images/conf.au > 14:59:20 192.168.0.60 http://60.12.117.170/conf.au > 14:59:25 192.168.0.60 http://www.adrianosfigtrees.com/adrianmedia/conf.au > 14:59:25 192.168.0.60 http://www.advertisemints.com/minimints/images/conf.au > > 14:59:35 192.168.0.60 http://www.africanappeal.com/images/conf.au > 14:59:35 192.168.0.60 http://www.beyondbellydance.com/site_images/conf.au > 14:59:35 192.168.0.60 > http://www.blackdiamondmotorcycletours.com/pics/conf.au > 14:59:40 192.168.0.60 http://www.aerographicsusa.com/images/conf.au > 14:59:49 192.168.0.60 http://60.12.117.170/conf.au > 14:59:55 192.168.0.60 http://www.adrianosfigtrees.com/adrianmedia/conf.au > 14:59:55 192.168.0.60 http://www.advertisemints.com/minimints/images/conf.au > > And this goes on "forever" > > Any ideas appreciated. > Maybe a rootkit on it? They hide their tracks VERY well. I have a bootsystem I use based on www.ubcd4win.com that lets me see into broken systems without their actually running on the compromised OS |