Firewall Wizards mailing list archives
Re: worm?
From: "Francois Yang" <francois.y () gmail com>
Date: Thu, 1 Feb 2007 15:55:29 -0600
You could use FakeDNS and MailPot to maybe capture what happens after the connection is created. here is the link to the tools. I haven't used them, but I know they can be used for things like this. http://labs.idefense.com/files/labs/releases/previews/map/ On 2/1/07, Paul D. Robertson <paul () compuwar net> wrote:
On Thu, 1 Feb 2007, Brian Loe wrote:One of our support technician's machines is attempting to connect to random IP addresses on port 25 - in a pretty needy fashion. He says he's scanned the box with the latest updates from McAffee and it hasn't found anything. We discovered it because one of my basic (meaning I got it off the 'Net) rules for SEC flagged it as a possible PHEL trojan. Any thoughts?See what process keeps opening sockets? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards