re: port 5168

[Harlan Carvey <keydet89 () yahoo com>]

Duncan,

You say that the sources for these packets are all on
your internal network.  Have you considered getting a
process listing from them, as well as running fport on
them?  After all, from what you say, there are only 2
systems that are sending out this traffic.  It
shouldn't be too hard to track down.   

How about the one system that responded?  You could go
to the one that opened the DCERPC session and run
fport.  If you can't physically go to it, but you are
able to get admin access to it, use psexec.exe and
fport remotely.

On the source systems, as well as the one that
responded, it might also behoove you to collect all
installed services and drivers.  Just a thought...

Harlan

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------