Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Virus or Hacked NEW PC?

From: Jeff Pults <j_pults () YAHOO COM>
Date: Thu, 23 Nov 2000 21:19:52 -0800
Thank you Tim!  I installed TDIMon and found the app
ssdpsrv was beeing accessed by two remote addresses.
After a little poking, also found an app called
BackWeb installed.  Is this a standard install on
systems with factory installed software?  The PC
vendor couldn't tell me anything (surprise ;)...

--Jeff

--- Tim Winders <twinders () SPC cc tx us> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Grab a copy of TDIMon from sysinternals
(http://www.sysinternals.com/tdimon.htm).  You can
use it to view tcp and
udp services under windows.  With it running, you
can telnet to each port
on the local machine and tdimon will tell you what
application answers the
call.

     **********************************************
        Tim Winders, MCSE, CNE, CCNA
        Associate Dean of Information Technology
        South Plains College
        Levelland, TX  79336

        Phone:        806-894-9611 x 2369
        FAX:  806-894-1549
        Email:        TWinders () SPC cc tx us
     **********************************************


On Wed, 22 Nov 2000, Jeff Pults wrote:


I just purchased a new HP PC and it starts up

listening on port 5000 tcp and udp port 1900 even
after completely reloading from the recovery CD's.
HP tech support said to contact my internet provider
since I have a dsl connection. They could not give
me any explanation as to why these ports were open
even when installed and not connected to the
internet. Once I did discover this I installed an
IDS and immediately started getting udp port probes
from a specific address. Any idea's or suggestions
would be appreciated. Once connected to the internet
here is a netstat -an:


Active Connections

  Proto  Local Address          Foreign Address

    State

  TCP    0.0.0.0:5000           0.0.0.0:0

    LISTENING

  TCP    0.0.0.0:5017           0.0.0.0:0

    LISTENING

  TCP    192.168.1.100:139      0.0.0.0:0

    LISTENING

  UDP    0.0.0.0:1364           *:*
  UDP    127.0.0.1:1376         *:*
  UDP    192.168.1.100:1900     *:*
  UDP    192.168.1.100:137      *:*
  UDP    192.168.1.100:138      *:*





---------------------------------
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of

Products.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OSF1)
Comment: Made with pgp4pine 1.75-6



iEYEARECAAYFAjoduPYACgkQTPuHnIooYbyCuwCgxMKRmulEdjQoHA7jbffaDR4X

bG4AoIsNeH08Tle/H6WWunEYKOqvCq3j
=Wreu
-----END PGP SIGNATURE-----





__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: