Hy Amos... [cut] > .. or in this case, it appears, some security penetration > testing software. Somehow installed on a users PC. > > > Here you can find trace: http://www.sendspace.com/file/ij5qpe > > > > Sorry, that seems to be a summary packet log. Just confirms Sorry, I just took over your previously suggested command (tcpdump -s0)... > that the PC and Squid are chattering away. I need it to be a > full binary packet dump. The binary bit is saved with -w to a file. > So "tcpdump -s0 -w infected-dump.cap" should grab the bit I > need to look at. > If its already cleaned up thats fine. This is just for my > interest to confirm details. Well, "cleaned" in terms of "I removed McAfee Suite", yes! :-) [cut] > Could be "McAfee Network Security Agent" doing a network-wide > scan/check? Well, maybe! But that's weird behaviour... why should my "protection suite" scan my whole subnet on port 80? Kind regards, Flavio Boniforti PIRAMIDE INFORMATICA SAGL Via Ballerini 21 6600 Locarno Switzerland Phone: +41 91 751 68 81 Fax: +41 91 751 69 14 URL: http://www.piramide.ch E-mail: flavio@xxxxxxxxxxx
