Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [OT] tcpdump parsing

From: Damian Gerow <damian () sentex net>
Date: Wed, 8 Oct 2003 18:32:04 -0400
Thus spake Paul Robertson (proberts () patriot net) [08/10/03 18:20]:

I've done some other digging, and have found out that about 99% of my dump
is between ports 25 and 32101.  Now I just have to figure out why/how people
are connecting to 32101, as a full port scan of the computer has turned up
nothing but the standard Windows ports listening, three different times.


You might want to look at the IE bugs that have recently been exploited, 
assuming the machines are Win* based.  Checking browser caches and 
histories may yield useful stuff, as will looking for mapped drive shares 
(most Win* worms these days will do the share thing if they can.)


Yep, all these machines /are/ win* based.  And as much as I'd love to go
through all their histories and caches, I just don't have that much time.

Since the spamming /does/ re-occur, I've placed my bets on it being a remote
trojan.  I just don't know how it is activated, or used, as it doesn't seem
to listen on any TCP/UDP ports.  Which is why I want to limit by time and
not by type of traffic -- to see if there's anything specific that goes on
before the spamming starts.

Thanks to 


Since this has moved far and beyond the scope of the list, I'll refrain from
posting anything else.


No fair, we wanna know what it was!


<grin>

I've gotten that impression.  When I figure it out, I'll post feedback to
the list.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: