Security Incidents mailing list archives
Re: Strange activity to a laptop?
From: "Lastname, Firstname" <bparis () SORRENTOLACTALIS COM>
Date: Fri, 6 Oct 2000 08:39:18 -0400
I've found "Inzider" to be pretty accurate at determining what proggy is bound to what port... http://ntsecurity.nu/toolbox/inzider/index.shtml Bill Paris Telecommunication/Network Analyst Sorrento Lactalis Inc. 716-823-6262 x376 bparis () sorrentolactalis com
-----Original Message----- From: LOS Ralph [mailto:rlos () ENVESTNET COM] Sent: Thursday, October 05, 2000 11:23 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Strange activity to a laptop? Sensitivity: Confidential Hello everyone. (This is about as detailed as I can get without revealing too much) We have recently had a laptop from a consultant come into our network, no antivirus software, WinNT 4.0 WS, sp4! Immediately, my firewall picks up traffic from the outbound NAT IP on their network towards this machine. Traffic looks like the snippit below. At first I thought it might be SNMP traffic somehow - but it's not. A detailed scan of the machine reveals it was listening on port 1029 (couldn't find anything open on that port). I closed and disabled service after service, until I was only left with NT's necessary functionality - and still port 1029 was open and listening. I'm totally at a loss. <snippit below> Does ANYONE have any GOOD tools for WinNT/Win2k to find out what port is bound to what executable/whatever?! Secondly, are there programs that will allow you to effectively 'kill' services (GUI maybe?) that NT wouldn't ordinarily allow you to see(if hidden?). Can someone provide me with some GOOD tools to start snooping around this laptop with?! I haven't been able to solve this problem - and it's generating TONS of traffic on our network (inbound) that has to be stopped by our firewall. I contacted the admin on the other side, he's clueless so I can't even get a packet dump of machines sending to this particular one (since they're behind a single IP address/NAT).
* * *big snip here* * *
Ralph M. Los Internet Systems & Security Admin. (312) 827-3945 (direct) EnvestNet Advisory Corp. (312) 296-9003 (wireless) rlos () envestnet com
Current thread:
- Strange activity to a laptop? LOS Ralph (Oct 05)
- Re: Strange activity to a laptop? Stefan Wagner (Oct 06)
- <Possible follow-ups>
- Re: Strange activity to a laptop? Johnson, Greg (Oct 06)
- Re: Strange activity to a laptop? Lastname, Firstname (Oct 06)
- Re: Strange activity to a laptop? Frank Knobbe (Oct 08)
- Re: Strange activity to a laptop? Jay Random (Oct 11)
- Re: Strange activity to a laptop? Stephen Quigg (Oct 12)