Security Basics mailing list archives
Re: Re[2]: Finding which programme started an outgoing connection
From: Nikhil Manampady <nikhil.manampady () paladion net>
Date: Fri, 11 Feb 2011 14:25:11 +0530
Hi Adam, If you check the properties of the started services like BITS (Background Intelligent Transfer Service), COM+ event system, Computer browser, etc, you will see all those services are using svchost.exe so we cannot confirm that svchosts file is infected if there are muliple instances of it running. I am not sure if Windows will allow any of its file to be modifed when it's using those files, but then a virus and spyware scan of the entire C: drive should help to clean any virus or malware. Thanks & Regards, Nikhil Manampady, Security Consultant, Paladion Networks. On Fri, Feb 11, 2011 at 1:55 PM, Adam Pal <pal_adam () gmx net> wrote:
Hello Nikhil, There is malware which hides from those 2 points. Take for instance the svchost.exe, this process runs in more than 1 instances while it is not present neither in HKLM, nor in services. Or what if malware inject explorer.exe or services.exe (which are common targets), or a .dll they are linking? Simple malware still use HKLM or services but lately i havent seen any. If the system is not rootkited then whatsrunning was a great help to me to identify such processes, if its rootkited i doubt there is any possibility to find that out... -- Best regards, Adam Pal Wednesday, February 9, 2011, 5:32:57 AM, you wrote: <==============Original message text=============== NM> Hi Tyler, NM> Alternatively you can check in the registry whether any program is NM> configured to load at startup and connect to that particular IP. NM> In Windows XP, it was NM> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. On NM> the right you will see programs which will be loaded at startup. You NM> would probably need to check the same in Win 7. NM> Alternatively check in services.msc whether there are any programs NM> which are running which are not required. Maybe stopping some or one NM> of them might solve the issue. NM> Thanks & Regards, NM> Nikhil Manampady, NM> Security Consultant. NM> On Mon, Feb 7, 2011 at 10:43 PM, Littlefield, Tyler <tyler () tysdomain com> wrote:Have you thought of running netstat? This may be a longshot, but you could create a script that starts on startup that checks netstat, or you can start it right as you boot up yourself to see what opens that program. On 2/5/2011 4:38 AM, Tom Causer wrote:Hello List, This is more of an end user question then anything else: I use zone alarm on my pc, and it is alerting that some during boot up is attempting to connect (UDP) to an IP address in the Netherlands 81.171.115.5 (it looks like some colocation service over there). Now I would like to know how I can track back to find out what service is making that connection during boot up, but I have no idea how I would go about doing that? (Other then setting up a hub with my desktop and capture in wireshark, which I can do fine, its just the analysis of the traffic to find out whats causing it, so I would rather not do that step) Using Windows 7 OS. Cheers, Tom ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 -------------------------------------------------------------------------- Thanks, Ty ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------NM> ------------------------------------------------------------------------ NM> Securing Apache Web Server with thawte Digital Certificate NM> In this guide we examine the importance of Apache-SSL and who NM> needs an SSL certificate. We look at how SSL works, how it NM> benefits your company and how your customers can tell if a site is NM> secure. You will find out how to test, purchase, install and use a NM> thawte Digital Certificate on your Apache web server. Throughout, NM> best practices for set-up are highlighted to help you ensure NM> efficient ongoing management of your encryption keys and digital certificates. NM> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 NM> ------------------------------------------------------------------------ <===========End of original message text===========
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Finding which programme started an outgoing connection Tom Causer (Feb 07)
- Re: Finding which programme started an outgoing connection Littlefield, Tyler (Feb 08)
- RE: Finding which programme started an outgoing connection Matthew Reed (Feb 10)
- Re: Finding which programme started an outgoing connection Nikhil Manampady (Feb 10)
- Re: Finding which programme started an outgoing connection Littlefield, Tyler (Feb 10)
- Re[2]: Finding which programme started an outgoing connection Adam Pal (Feb 11)
- Re: Re[2]: Finding which programme started an outgoing connection Nikhil Manampady (Feb 11)
- Re: Finding which programme started an outgoing connection Littlefield, Tyler (Feb 08)
- Re: Finding which programme started an outgoing connection anthony kasza (Feb 08)
- Re: Finding which programme started an outgoing connection Richard Thomas (Feb 11)
- AW: Finding which programme started an outgoing connection FH_Steini (Feb 11)
- <Possible follow-ups>
- Re: Finding which programme started an outgoing connection tomasello2000 (Feb 08)
- Re: Finding which programme started an outgoing connection scott_conklin (Feb 10)
- Re: Finding which programme started an outgoing connection mcsegold (Feb 10)