Security Incidents mailing list archives
Re: Tracking down random ICMP
From: "Bojan Zdrnja" <bojan.zdrnja () gmail com>
Date: Wed, 24 Jan 2007 14:05:55 +1300
On 1/24/07, Jose Nazario <jose () monkey org> wrote:
On Tue, 23 Jan 2007, Valdis.Kletnieks () vt edu wrote: > I'm not aware of any well-known userspace API that generates ICMP, so > any userspace would have to be hand-crafting the packets itself. So > what you're looking for is a process that has a raw socket open. at least on Win32: http://msdn2.microsoft.com/en-us/library/aa366045.aspx and then something along these lines:
So, in other words, for the original poster: use ListDLLs (http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ListDlls.mspx) which will list all processes and show you DLLs that each of them is using. Then go through that list and eliminate all processes that are not using Iphlpapi.dll. Now you will have a list of processes that need to be examined further. This all works only, of course, if the process is not opening raw sockets but if it's using the DLL Jose mentioned. Cheers, Bojan
Current thread:
- Tracking down random ICMP Craig Chamberlain (Jan 22)
- Re: Tracking down random ICMP Kyle Maxwell (Jan 23)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 23)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)
- Re: Tracking down random ICMP Bojan Zdrnja (Jan 24)
- Re: Tracking down random ICMP Javier Fernández-Sanguino (Jan 25)
- Re: Tracking down random ICMP Valdis . Kletnieks (Jan 25)
- Attempted FTP intrusion David Gillett (Jan 31)
- Re: Attempted FTP intrusion Tillmann Werner (Jan 31)
- Re: Tracking down random ICMP Jose Nazario (Jan 23)