This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My network traffic looks exactly like the dns-remoteshell.pcap. What now???

0

Okay, so I am having problems with a Fedora Core 14 Linux machine. I inherited it recently from my late brother and while he was a Linux GOD, I am merely a mortal. I know something, somewhat about Linux from my days as a contributing editor at Newsforge (talk about embarrassing, asking this when I used to WRITE about Linux), but I do not know enough to solve this problem.

Anyway, I have traffic captures that look exactly, I mean EXACTLY like the dns-remoteshell.pcap (from the wireshark wiki under viruses and worms), but I don't know what to do NOW. Added bonus, my ISP is Hughesnet and I am getting slammed for going over their arbitrary and VERY low traffic caps. It's drive me WILD. I've been working on this for four days now and finding the pcap was a big breakthrough, but I don't know how to get rid of the worm(?), fix the problem or make this computer work right again. I am beginning to think that my best bet might be to wipe Fedora 14 and use freaking Windows which at least I understand. How is THAT for frustrated, PLEASE will someone trade me for a Mac!

Can someone help me, please!

UPDATE: whoops! neglected to mention that I've run a full scan with ClamAV with up to date signatures. And this seems to infect more than one user account.

asked 10 Aug '11, 06:39

privateice's gravatar image

privateice
1112
accept rate: 0%

edited 10 Aug '11, 06:42

SYNbit, Clam AV says nothing is infected with anything. It says the whole filesystem is clean.

The traffic I get has the Source Intel_some-address broadcasting a Who has for my IP. Then it does a lot of TCP requests for something or other. As far as I can tell, it uses those to download a huge amount of material--as much as the bandwidth can stand (which completely overwhelms my hughesnet at home).

(10 Aug '11, 11:25) privateice

One Answer:

0

The file dns-remoteshell.pcap shows packets to an infected Windows XP system where a remote shell seems to be enabled on the TCP DNS port (and also on the TELNET and HTTP ports for that matter). In which way does you captured traffic look "exactly" the same?

What does ClamAV tell you? Which files seem to be infected and what kind of infections does it report? That would be your starting point in searching for a cure.

This Q&A site might be able to help you analyze your traffic, but for cleaning the box, you are better of at other more linux orientated sites. You might want to try http://superuser.com/ or http://serverfault.com/

answered 10 Aug '11, 09:28

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%