From: Allen Chang (allen_at_rescomp.berkeley.edu)
Date: Mon Aug 25 2003 - 17:53:04 PDT
A few more questions:
How updated of a Symantec/Norton are you running? Ideally, you should be
updated to 8/18 or later
What exactly did SNS tell you? They're usually pretty accurate. It's
possible that the computer you're dealing with was compromised via the RPC
vulnerability and is now being used as a scanning server of some sort.
@llen
~---------------------------------~
Allen Chang
Lead Network Security Coordinator
Office of Residential Computing
UC Berkeley
~---------------------------------~
On Mon, 25 Aug 2003, David Lee wrote:
> Hi all. I need help. Campus security has informed me that I have some
> infected machines broadcasting on port 135. I've since obtained the
> removal tools and instruction for MSBlast. Virus scan and MSBlast removal
> tool are both negative. They come back completely clean. Campus still
> says I'm infected. So I install a firewall to try to log some of this
> activity the campus is recording. Sure enough, this machine is
> infected. With what I have no idea. Norton does not detect it and I am
> finding no strange file lying about. Any ideas?
>
> David D. Lee
> Computer Resource Specialist II
> Office of Undergraduate Admissions
> ouarshlp_at_uclink4.berkeley.edu
> 2-6417
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 25 2003 - 17:53:59 PDT