Security Incidents mailing list archives
Re: Virus or Hacked NEW PC?
From: Jeff Pults <j_pults () YAHOO COM>
Date: Thu, 23 Nov 2000 21:19:52 -0800
Thank you Tim! I installed TDIMon and found the app ssdpsrv was beeing accessed by two remote addresses. After a little poking, also found an app called BackWeb installed. Is this a standard install on systems with factory installed software? The PC vendor couldn't tell me anything (surprise ;)... --Jeff --- Tim Winders <twinders () SPC cc tx us> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Grab a copy of TDIMon from sysinternals (http://www.sysinternals.com/tdimon.htm). You can use it to view tcp and udp services under windows. With it running, you can telnet to each port on the local machine and tdimon will tell you what application answers the call. ********************************************** Tim Winders, MCSE, CNE, CCNA Associate Dean of Information Technology South Plains College Levelland, TX 79336 Phone: 806-894-9611 x 2369 FAX: 806-894-1549 Email: TWinders () SPC cc tx us ********************************************** On Wed, 22 Nov 2000, Jeff Pults wrote:I just purchased a new HP PC and it starts uplistening on port 5000 tcp and udp port 1900 even after completely reloading from the recovery CD's. HP tech support said to contact my internet provider since I have a dsl connection. They could not give me any explanation as to why these ports were open even when installed and not connected to the internet. Once I did discover this I installed an IDS and immediately started getting udp port probes from a specific address. Any idea's or suggestions would be appreciated. Once connected to the internet here is a netstat -an:Active Connections Proto Local Address Foreign AddressStateTCP 0.0.0.0:5000 0.0.0.0:0LISTENINGTCP 0.0.0.0:5017 0.0.0.0:0LISTENINGTCP 192.168.1.100:139 0.0.0.0:0LISTENINGUDP 0.0.0.0:1364 *:* UDP 127.0.0.1:1376 *:* UDP 192.168.1.100:1900 *:* UDP 192.168.1.100:137 *:* UDP 192.168.1.100:138 *:* --------------------------------- Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions ofProducts.-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (OSF1) Comment: Made with pgp4pine 1.75-6
iEYEARECAAYFAjoduPYACgkQTPuHnIooYbyCuwCgxMKRmulEdjQoHA7jbffaDR4X
bG4AoIsNeH08Tle/H6WWunEYKOqvCq3j =Wreu -----END PGP SIGNATURE-----
__________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- Virus or Hacked NEW PC? Jeff Pults (Nov 24)
- <Possible follow-ups>
- Re: Virus or Hacked NEW PC? Jeff Pults (Nov 28)
- Re: Virus or Hacked NEW PC? Tim Winders (Nov 30)