Firewall Wizards mailing list archives
Re: [OT] tcpdump parsing
From: Damian Gerow <damian () sentex net>
Date: Wed, 8 Oct 2003 18:32:04 -0400
Thus spake Paul Robertson (proberts () patriot net) [08/10/03 18:20]:
I've done some other digging, and have found out that about 99% of my dump is between ports 25 and 32101. Now I just have to figure out why/how people are connecting to 32101, as a full port scan of the computer has turned up nothing but the standard Windows ports listening, three different times.You might want to look at the IE bugs that have recently been exploited, assuming the machines are Win* based. Checking browser caches and histories may yield useful stuff, as will looking for mapped drive shares (most Win* worms these days will do the share thing if they can.)
Yep, all these machines /are/ win* based. And as much as I'd love to go through all their histories and caches, I just don't have that much time. Since the spamming /does/ re-occur, I've placed my bets on it being a remote trojan. I just don't know how it is activated, or used, as it doesn't seem to listen on any TCP/UDP ports. Which is why I want to limit by time and not by type of traffic -- to see if there's anything specific that goes on before the spamming starts. Thanks to
Since this has moved far and beyond the scope of the list, I'll refrain from posting anything else.No fair, we wanna know what it was!
<grin> I've gotten that impression. When I figure it out, I'll post feedback to the list. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Devdas Bhagat (Oct 08)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Paul Robertson (Oct 11)
- Spamming, 'hidden' mail server Damian Gerow (Oct 08)
- Re: Spamming, 'hidden' mail server Jeff Bollinger (Oct 15)
- Re: Spamming, 'hidden' mail server Damian Gerow (Oct 17)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 11)
- Re: [OT] tcpdump parsing hermit921 (Oct 13)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Devdas Bhagat (Oct 08)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- <Possible follow-ups>
- RE: [OT] tcpdump parsing Austin, Greg (Oct 08)
- Mail server security (Was: Re: [OT] tcpdump parsing) Damian Gerow (Oct 11)