Re: [OT] tcpdump parsing

[hermit921 <hermit921 () yahoo com>]

I have found external scans of Windows machines to have decreasing 
usefulness.  Netstat commands on suspicious W2K systems usually show open 
ports that a complete external nmap scan does not show as open.

hermit921


At 03:29 PM 10/8/2003, Paul Robertson wrote:
> On Wed, 8 Oct 2003, Damian Gerow wrote:
>
> > I've done some other digging, and have found out that about 99% of my dump
> > is between ports 25 and 32101.  Now I just have to figure out why/how 
> people
> > are connecting to 32101, as a full port scan of the computer has turned up
> > nothing but the standard Windows ports listening, three different times.
>
> You might want to look at the IE bugs that have recently been exploited,
> assuming the machines are Win* based.  Checking browser caches and
> histories may yield useful stuff, as will looking for mapped drive shares
> (most Win* worms these days will do the share thing if they can.)
>
> > Since this has moved far and beyond the scope of the list, I'll refrain 
> from
> > posting anything else.
>
> No fair, we wanna know what it was!
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> proberts () patriot net      which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure Corporation
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards