Step one, don’t panic….

On March 28, 2006, in Security, by

So I turned on a workstation…one that hadn’t been on in a while… and kinda forgot about it… and tonight I was checking the ISA logs to see why the MBSA 2.0 wasn’t scanning the network like it should (long story…still in investigation…stay tuned to the blog) and I realized that every minute or so there was this “heartbeat” in the ISA logs.


 


http://66.151.158.177:80/l?526=-1N8753


….what tha?  says I and I start looking at the computer it’s coming from…


 


So visions of OH MY GAWD I HAVE A TROJAN I’M OWNED …. I’LL BE LICKING STAMPS UNTIL THE DAY I DIE INFORMING CLIENTS THAT MY NETWORK HAS BEEN OVERTAKEN BY ZOMBIES SENDING OUT PHONE HOME MESSAGES TO SOME FOREIGN COUNTRY LOCATED IN……hang on…let me check who’s IP that is…… THE TERRORIST COUNTRY OF…..hang on lemme look this up on Arnis… THE TERRORIST COUNTRY OF…Atlanta, Georgia? 


 


Huh? 


 


OrgName:    Internap Network Services
OrgID:     
PNAP
Address:    250 Williams Street
Address:    Suite E100
City:       Atlanta
StateProv:  GA
PostalCode: 30303
Country:    US


Okay so I calm down enough to realize that the ‘heartbeat’ I’m seeing is a leftover..old… left to expire from not being paid…but not yet uninstalled…the way we remoted into one pc a few years ago install of …


Yup… “Gotomypc”.


While it may have been an expired account.. it had a red X in the corner… it was alive enough to do a heart beat out to the Gotomypc/Webex servers.


Just a FYI… clean up those kinds of programs on computers…..

 

Comments are closed.