RE: Port scan and scvhost overload

["Murda Mcloud" <murdamcloud () bigpond com>]

Do they have any kind of wireless security enabled(eg WPA?)

The fact that the requests to the various ports could mean that it is an
application or that it is some kind of automated probe.

We get requests all the time from spoofed private IP's. Our firewall just
drops them and marks them as spoofed. By design, all routers etc SHOULD drop
those kinds of packets (but do all of them definitely-I can't say).

When you say randomly named extra networks I'll assume wireless ones. This
is probably normal-I can see four from my office and at least five at my
house.

The worrying thing is not just that the firewall picked up on the port
'probe' but that the machine 'mysteriously' shutdown and has what appears to
be weird services running.

Is the machine patched? Can you run an av scan and some spyware/rootkit
scans? comboFix is good for this kind of thing. 

> > What should I do to pinpoint the cooperate, remove their instillation if
> > I may call it, and keep them out for next time? Also, is there a way I
> > can find dump files or something of the sort that will give me a history
> > of what they have down while in access with the victim laptop? Perhaps I
> > could find records on their computer(s)?

Do you know for sure that something has been installed? Whose computer would
you try and find records on?






> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of reporting4booty () gmail com
> > Sent: Friday, October 17, 2008 3:26 AM
> > To: security-basics () securityfocus com
> > Subject: Port scan and scvhost overload
> >
> > My friends Vista operated laptop is receiving attempted entries to ports
> > in a series, starting with 4756 (at least when I was asked about the pop
> > ups on their computer). Their Sunbelt firewall pops up with the IP
> > 192.XXX.XX.01. (I am not with the computer at the moment so I do not
> > remember the exact IP. I have it written down in another building.) From
> > past experience I get the impression that all IPs with 192 in the
> > beginning are on your own network.
> >
> >
> >
> > My friend has two 14 year old twins that spend all day playing XBox and
> > computer games. I get the impression that they were just messing with
> > their sibling, pestering them with a ports can for fun. However in the
> > process list there is around 9 different instances of the svchost.exe
> > process, from what I was able to find out Before the laptop mysteriously
> > shutdown, the processes were using services such as plug-in-play and
> > confidential background transfer services (I am no computer guru, not yet
> > at least, I am not aware of the full use of Vista's services.).
> >
> >
> >
> > The siblings all use the same wireless network (Wi-Fi processes found in
> > process list) in the same house with virtually almost anytime physical
> > access.
> >
> >
> >
> > What should I do to pinpoint the cooperate, remove their instillation if
> > I may call it, and keep them out for next time? Also, is there a way I
> > can find dump files or something of the sort that will give me a history
> > of what they have down while in access with the victim laptop? Perhaps I
> > could find records on their computer(s)?
> >
> >
> >
> > There are multiple computers in the house that all have access to the
> > wireless network. 3 laptops and 1 desktop.
> >
> >
> >
> > Also, if it means anything, while pursuing this suspicion I noticed 2
> > extra randomly named networks within access range.