Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strange windows behaviour.

From: H Carvey <keydet89 () yahoo com>
Date: 8 Oct 2003 13:52:58 -0000
In-Reply-To: <1065470713.644.51.camel@localhost>

Peter,

Maybe we can figure this out if look at it from another perspective...


I've been trying to find information on this, but the most I've been
able to come up with is an advisory from symantec's threat management
system saying Mprox (some sort of MS proxy) is to blame.  None of the
machines I've gone and examined have had this program running or on the
system anywhere for that matter.


You've said that you've gone and looked at some of the machines...what did you find?  I know you didn't find the proxy 
stuff you were looking for...but what *did* you find?  The traffic has to be coming from somewhere, right?  One would 
think that there would have to be a process of some kind generating the traffic.

What is the os of the clients you're dealing with?  What is your IR (or as you mentioned, forensics) methodology?  What 
data are you collecting, and how are you collecting it?  Do you have any process information that others can view...or 
the output of process-to-port mapping tools?

Sometimes, asking if anyone else has seen this sort of thing can be useful, but it does not replace good IR and 
troubleshooting skills.  

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: