We were infected with the variant that uses udp 4156 Sunday night.
There was quite a bit of scanning on various ports thereafter, logged by
the firewall. There was one very odd scan that has me concerned.

The firewall logged packets going from a different server, not the
infected one, to 212.82.211.42:

Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0
SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664
PROTO=UDP SPT=1370 DPT=33501 LEN=18

There are eight of these messages with DPT proceeding sequential from
33501 to 33508, inclusive, within 30 seconds.

Questions:
Was this other host infected with something? I have searched it but
been unable to find any traces of hacking.

Assuming w.x.y.z hasn't been cracked, how did someone convince my server
to try to contact 212.82.211.42?

Any other insight or advice?

Thanks.
 -Gordon

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]