My pfSense firewall with Snort IDS/IPS detected ZeroAccess Windows trojan, Denial of Service (DOS) attacks and 10,655 portscan attempts
Subject: My pfSense firewall with Snort IDS/IPS detected ZeroAccess Windows trojan, Denial of Service (DOS) attacks and 10,655 portscan attempts
Good day from Singapore,
My name is Turritopsis Dohrnii Teo En Ming. My pfSense firewall with Snort IDS/IPS detected ZeroAccess Windows trojan, Denial of Service (DOS) attacks and 10,655 portscan attempts, as of 20 June 2020 Saturday. This shows that I have configured my pfSense firewall with Snort IDS/IPS correctly on 4th April 2020. I am technically competent as an IT consultant in Singapore.
-----Begin Snort IDS/IPS alerts for ZeroAccess Windows trojan-----
04/09/20-21:32:56.340705 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,58659,A Network Trojan was Detected,1
04/22/20-18:27:37.305284 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,25459,A Network Trojan was Detected,1
05/05/20-15:51:17.616097 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,20882,A Network Trojan was Detected,1
05/13/20-01:20:57.140589 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,58348,A Network Trojan was Detected,1
05/14/20-10:52:53.535934 ,105,2,2,"(spo_bo) Back Orifice Client Traffic detected",UDP,27.115.124.10,56520,Teo En Ming's FW IP,443,6140,A Network Trojan was Detected,1
05/25/20-23:01:33.410789 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,10287,A Network Trojan was Detected,1
06/08/20-01:34:59.415253 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,13168,A Network Trojan was Detected,1
06/20/20-22:33:10.428992 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,46494,A Network Trojan was Detected,1
-----End Snort IDS/IPS alerts for ZeroAccess Windows trojan-----
-----Begin Snort IDS/IPS alerts for Denial of Service (DOS) Attacks-----
04/06/20-05:56:34.240421 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,20875,Teo En Ming's FW IP,53,36253,Potentially Bad Traffic,2
04/06/20-17:12:32.590195 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,41932,Teo En Ming's FW IP,53,44144,Potentially Bad Traffic,2
04/08/20-05:22:11.058364 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,42863,Teo En Ming's FW IP,53,2531,Potentially Bad Traffic,2
04/10/20-05:42:14.897402 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,27564,Teo En Ming's FW IP,53,30591,Potentially Bad Traffic,2
04/21/20-04:14:54.189215 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,14.135.120.21,56257,Teo En Ming's FW IP,123,37823,Attempted Denial of Service,2
04/21/20-05:48:02.695446 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,36181,Teo En Ming's FW IP,53,29745,Potentially Bad Traffic,2
04/22/20-18:07:58.264778 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,35118,Teo En Ming's FW IP,53,9544,Potentially Bad Traffic,2
04/24/20-05:48:19.032064 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,48012,Teo En Ming's FW IP,53,9415,Potentially Bad Traffic,2
04/24/20-06:06:24.922151 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,80.82.78.104,34420,Teo En Ming's FW IP,123,56898,Attempted Denial of Service,2
04/25/20-10:05:23.410940 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,129.250.206.86,21545,Teo En Ming's FW IP,123,57159,Attempted Denial of Service,2
04/26/20-05:40:30.544006 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,26265,Teo En Ming's FW IP,53,34316,Potentially Bad Traffic,2
04/30/20-18:06:03.311834 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,41565,Teo En Ming's FW IP,53,5460,Potentially Bad Traffic,2
05/01/20-17:39:39.898804 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,17893,Teo En Ming's FW IP,53,6908,Potentially Bad Traffic,2
05/01/20-17:51:56.875582 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,17897,Teo En Ming's FW IP,53,36034,Potentially Bad Traffic,2
05/03/20-05:51:03.933207 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,30724,Teo En Ming's FW IP,53,4015,Potentially Bad Traffic,2
05/03/20-05:57:12.706098 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,30752,Teo En Ming's FW IP,53,49354,Potentially Bad Traffic,2
05/03/20-17:46:34.202174 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,33825,Teo En Ming's FW IP,53,52827,Potentially Bad Traffic,2
05/04/20-22:35:30.233085 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,45.95.168.212,44120,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/09/20-15:35:29.970253 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,184.105.139.74,44485,Teo En Ming's FW IP,123,15020,Attempted Denial of Service,2
05/13/20-05:07:36.972187 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,213.226.119.124,23352,49.245.7.143,123,23732,Attempted Denial of Service,2
05/13/20-05:20:18.878985 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,29050,Teo En Ming's FW IP,53,42884,Potentially Bad Traffic,2
05/14/20-03:08:44.122026 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,89.223.121.232,44507,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/14/20-16:46:17.255579 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,209.141.52.24,37406,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/15/20-17:13:15.778373 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,12867,Teo En Ming's FW IP,53,35489,Potentially Bad Traffic,2
05/19/20-03:05:35.345304 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,2.217.205.185,34184,27.104.132.79,123,24409,Attempted Denial of Service,2
05/19/20-12:51:45.075673 ,1,2019102,1,"ET DOS Possible SSDP Amplification Scan in Progress",UDP,61.135.185.172,12000,Teo En Ming's FW IP,1900,54321,Attempted Denial of Service,2
05/19/20-16:00:45.325282 ,1,2017918,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02",UDP,95.171.123.34,12002,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/20/20-12:15:18.179209 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,194.180.224.123,44439,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/20/20-13:32:02.195424 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,185.172.111.199,60321,Teo En Ming's FW IP,123,14999,Attempted Denial of Service,2
05/24/20-15:42:06.804053 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,194.180.224.60,54713,180.129.38.146,123,54321,Attempted Denial of Service,2
05/25/20-15:55:17.324923 ,1,2019102,1,"ET DOS Possible SSDP Amplification Scan in Progress",UDP,94.171.123.79,12000,Teo En Ming's FW IP,1900,54321,Attempted Denial of Service,2
06/04/20-06:11:43.705883 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,46912,Teo En Ming's FW IP,53,35614,Potentially Bad Traffic,2
06/05/20-17:56:21.603562 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,33436,Teo En Ming's FW IP,53,59981,Potentially Bad Traffic,2
06/06/20-10:10:39.151249 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,45.148.10.198,57080,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
06/08/20-13:30:37.849600 ,1,2019102,1,"ET DOS Possible SSDP Amplification Scan in Progress",UDP,180.101.49.42,12000,Teo En Ming's FW IP,1900,54321,Attempted Denial of Service,2
06/09/20-15:09:55.014823 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,184.105.139.122,19424,Teo En Ming's FW IP,123,22437,Attempted Denial of Service,2
06/09/20-15:46:01.510345 ,1,2017918,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02",UDP,180.101.49.42,12012,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
06/12/20-17:22:33.122843 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,32862,Teo En Ming's FW IP,53,65259,Potentially Bad Traffic,2
06/14/20-14:37:08.903800 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,191.101.22.140,44266,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
06/14/20-17:20:15.389095 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,20113,Teo En Ming's FW IP,53,37309,Potentially Bad Traffic,2
06/15/20-06:02:36.640550 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,23.111.115.196,44547,Teo En Ming's FW IP,123,18144,Attempted Denial of Service,2
06/15/20-07:00:51.630819 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,172.255.251.212,41857,Teo En Ming's FW IP,123,1585,Attempted Denial of Service,2
06/15/20-07:36:30.209861 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,23.111.115.196,38551,Teo En Ming's FW IP,123,19513,Attempted Denial of Service,2
06/20/20-12:01:06.013503 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,185.232.15.26,33203,27.104.251.240,123,0,Attempted Denial of Service,2
06/20/20-14:36:49.331358 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,181.214.91.29,35428,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
-----End Snort IDS/IPS alerts for Denial of Service (DOS) Attacks-----
My question is: Did ZeroAccess Windows trojan successfully infect my Microsoft Windows machines? Since the ZeroAccess malware is also a rootkit, would normal anti-virus scanners installed inside Windows be able to detect the botnet? Would it be more reliable to detect ZeroAccess rootkit using a bootable anti-virus CD?
I will ask questions on Denial of Service (DOS) attacks and portscan attempts in the future. My current priority is scanning for ZeroAccess trojans on my Windows machines.
Wikipedia article on ZeroAccess Windows trojan:
https://en.wikipedia.org/wiki/ZeroAccess_botnet
Thank you very much.
REFERENCES
==========
[1] https://lists.snort.org/pipermail/snort-users/2020-June/073750.html
[2] https://marc.info/?l=snort-users&m=159266844227878&w=2
Good day from Singapore,
My name is Turritopsis Dohrnii Teo En Ming. My pfSense firewall with Snort IDS/IPS detected ZeroAccess Windows trojan, Denial of Service (DOS) attacks and 10,655 portscan attempts, as of 20 June 2020 Saturday. This shows that I have configured my pfSense firewall with Snort IDS/IPS correctly on 4th April 2020. I am technically competent as an IT consultant in Singapore.
-----Begin Snort IDS/IPS alerts for ZeroAccess Windows trojan-----
04/09/20-21:32:56.340705 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,58659,A Network Trojan was Detected,1
04/22/20-18:27:37.305284 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,25459,A Network Trojan was Detected,1
05/05/20-15:51:17.616097 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,20882,A Network Trojan was Detected,1
05/13/20-01:20:57.140589 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,58348,A Network Trojan was Detected,1
05/14/20-10:52:53.535934 ,105,2,2,"(spo_bo) Back Orifice Client Traffic detected",UDP,27.115.124.10,56520,Teo En Ming's FW IP,443,6140,A Network Trojan was Detected,1
05/25/20-23:01:33.410789 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,10287,A Network Trojan was Detected,1
06/08/20-01:34:59.415253 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,13168,A Network Trojan was Detected,1
06/20/20-22:33:10.428992 ,1,31136,2,"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection",UDP,66.240.205.34,1066,Teo En Ming's FW IP,16464,46494,A Network Trojan was Detected,1
-----End Snort IDS/IPS alerts for ZeroAccess Windows trojan-----
-----Begin Snort IDS/IPS alerts for Denial of Service (DOS) Attacks-----
04/06/20-05:56:34.240421 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,20875,Teo En Ming's FW IP,53,36253,Potentially Bad Traffic,2
04/06/20-17:12:32.590195 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,41932,Teo En Ming's FW IP,53,44144,Potentially Bad Traffic,2
04/08/20-05:22:11.058364 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,42863,Teo En Ming's FW IP,53,2531,Potentially Bad Traffic,2
04/10/20-05:42:14.897402 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,27564,Teo En Ming's FW IP,53,30591,Potentially Bad Traffic,2
04/21/20-04:14:54.189215 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,14.135.120.21,56257,Teo En Ming's FW IP,123,37823,Attempted Denial of Service,2
04/21/20-05:48:02.695446 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,36181,Teo En Ming's FW IP,53,29745,Potentially Bad Traffic,2
04/22/20-18:07:58.264778 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,35118,Teo En Ming's FW IP,53,9544,Potentially Bad Traffic,2
04/24/20-05:48:19.032064 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,48012,Teo En Ming's FW IP,53,9415,Potentially Bad Traffic,2
04/24/20-06:06:24.922151 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,80.82.78.104,34420,Teo En Ming's FW IP,123,56898,Attempted Denial of Service,2
04/25/20-10:05:23.410940 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,129.250.206.86,21545,Teo En Ming's FW IP,123,57159,Attempted Denial of Service,2
04/26/20-05:40:30.544006 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,26265,Teo En Ming's FW IP,53,34316,Potentially Bad Traffic,2
04/30/20-18:06:03.311834 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,41565,Teo En Ming's FW IP,53,5460,Potentially Bad Traffic,2
05/01/20-17:39:39.898804 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,17893,Teo En Ming's FW IP,53,6908,Potentially Bad Traffic,2
05/01/20-17:51:56.875582 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,17897,Teo En Ming's FW IP,53,36034,Potentially Bad Traffic,2
05/03/20-05:51:03.933207 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,30724,Teo En Ming's FW IP,53,4015,Potentially Bad Traffic,2
05/03/20-05:57:12.706098 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,30752,Teo En Ming's FW IP,53,49354,Potentially Bad Traffic,2
05/03/20-17:46:34.202174 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,33825,Teo En Ming's FW IP,53,52827,Potentially Bad Traffic,2
05/04/20-22:35:30.233085 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,45.95.168.212,44120,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/09/20-15:35:29.970253 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,184.105.139.74,44485,Teo En Ming's FW IP,123,15020,Attempted Denial of Service,2
05/13/20-05:07:36.972187 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,213.226.119.124,23352,49.245.7.143,123,23732,Attempted Denial of Service,2
05/13/20-05:20:18.878985 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,29050,Teo En Ming's FW IP,53,42884,Potentially Bad Traffic,2
05/14/20-03:08:44.122026 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,89.223.121.232,44507,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/14/20-16:46:17.255579 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,209.141.52.24,37406,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/15/20-17:13:15.778373 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,12867,Teo En Ming's FW IP,53,35489,Potentially Bad Traffic,2
05/19/20-03:05:35.345304 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,2.217.205.185,34184,27.104.132.79,123,24409,Attempted Denial of Service,2
05/19/20-12:51:45.075673 ,1,2019102,1,"ET DOS Possible SSDP Amplification Scan in Progress",UDP,61.135.185.172,12000,Teo En Ming's FW IP,1900,54321,Attempted Denial of Service,2
05/19/20-16:00:45.325282 ,1,2017918,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02",UDP,95.171.123.34,12002,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/20/20-12:15:18.179209 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,194.180.224.123,44439,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
05/20/20-13:32:02.195424 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,185.172.111.199,60321,Teo En Ming's FW IP,123,14999,Attempted Denial of Service,2
05/24/20-15:42:06.804053 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,194.180.224.60,54713,180.129.38.146,123,54321,Attempted Denial of Service,2
05/25/20-15:55:17.324923 ,1,2019102,1,"ET DOS Possible SSDP Amplification Scan in Progress",UDP,94.171.123.79,12000,Teo En Ming's FW IP,1900,54321,Attempted Denial of Service,2
06/04/20-06:11:43.705883 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,46912,Teo En Ming's FW IP,53,35614,Potentially Bad Traffic,2
06/05/20-17:56:21.603562 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,33436,Teo En Ming's FW IP,53,59981,Potentially Bad Traffic,2
06/06/20-10:10:39.151249 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,45.148.10.198,57080,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
06/08/20-13:30:37.849600 ,1,2019102,1,"ET DOS Possible SSDP Amplification Scan in Progress",UDP,180.101.49.42,12000,Teo En Ming's FW IP,1900,54321,Attempted Denial of Service,2
06/09/20-15:09:55.014823 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,184.105.139.122,19424,Teo En Ming's FW IP,123,22437,Attempted Denial of Service,2
06/09/20-15:46:01.510345 ,1,2017918,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02",UDP,180.101.49.42,12012,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
06/12/20-17:22:33.122843 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,32862,Teo En Ming's FW IP,53,65259,Potentially Bad Traffic,2
06/14/20-14:37:08.903800 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,191.101.22.140,44266,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
06/14/20-17:20:15.389095 ,1,2016016,8,"ET DOS DNS Amplification Attack Inbound",UDP,83.97.20.160,20113,Teo En Ming's FW IP,53,37309,Potentially Bad Traffic,2
06/15/20-06:02:36.640550 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,23.111.115.196,44547,Teo En Ming's FW IP,123,18144,Attempted Denial of Service,2
06/15/20-07:00:51.630819 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,172.255.251.212,41857,Teo En Ming's FW IP,123,1585,Attempted Denial of Service,2
06/15/20-07:36:30.209861 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,23.111.115.196,38551,Teo En Ming's FW IP,123,19513,Attempted Denial of Service,2
06/20/20-12:01:06.013503 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,185.232.15.26,33203,27.104.251.240,123,0,Attempted Denial of Service,2
06/20/20-14:36:49.331358 ,1,2017919,2,"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03",UDP,181.214.91.29,35428,Teo En Ming's FW IP,123,54321,Attempted Denial of Service,2
-----End Snort IDS/IPS alerts for Denial of Service (DOS) Attacks-----
My question is: Did ZeroAccess Windows trojan successfully infect my Microsoft Windows machines? Since the ZeroAccess malware is also a rootkit, would normal anti-virus scanners installed inside Windows be able to detect the botnet? Would it be more reliable to detect ZeroAccess rootkit using a bootable anti-virus CD?
I will ask questions on Denial of Service (DOS) attacks and portscan attempts in the future. My current priority is scanning for ZeroAccess trojans on my Windows machines.
Wikipedia article on ZeroAccess Windows trojan:
https://en.wikipedia.org/wiki/ZeroAccess_botnet
Thank you very much.
REFERENCES
==========
[1] https://lists.snort.org/pipermail/snort-users/2020-June/073750.html
[2] https://marc.info/?l=snort-users&m=159266844227878&w=2
Comments
Post a Comment