Firewall Wizards mailing list archives
RE: Strange outbound connections.
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 27 Aug 2003 10:57:23 +0200
Well, if you really want to catch someone, then start digging out your forensics tools. Sniff these weird packets, find out what's in them. Fire up a known-good cmd.exe and dir /a for atime mtime and ctime on everything. Run fport to check processes that are holding onto unexpected ports. Then check all the event logs, and dump the registry and comb through that just in case. Eventually you might turn up something that will tell you if you're correct that the system is trojaned, and hopefully how and why. My own recommendation is that you immediately pull out the harddrive, get a new one, and just format and rebuild the box from scratch. After that, you can look at everything readonly on the bench. You might miss some evidence (assuming you want to 'nail people down') but what you have you won't be messing with. For extra points you can use TCT or something - although it's probably best, if you decide that you want to take legal action, to ask people that know about these things in your local legal climate. ben
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf
[...]
I strongly suspect a trojan lurking in the system. Any idea(s) on how to nail down the culprit?
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange outbound connections. George J. Jahchan, Eng. (Aug 26)
- RE: Strange outbound connections. Ben Nagy (Aug 27)
- RE: Strange outbound connections. Tony Miedaner (Aug 28)
- RE: Strange outbound connections. Ben Nagy (Aug 27)