Firewall Wizards mailing list archives
Re: OT? New compromise.
From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 28 Mar 2007 17:36:50 -0400
Stian Øvrevåge wrote:
On Windows /c:\netstat -an |find /i "listening"/ Why download when you can use existing tools...Ever heard of rootkits?
No I haven't can I buy this somewhere? I don't use Windows but if I were looking for something open why would I further taint a machine if there may be the possibility I would have to hand it off for evidence. For that matter, keep it unplugged and do nothing... Sysinternals (before MS rolled over them) had some neat tools one of which provided the admin with the name of the program running that had said ports opened along with the DLL file information, etc. I'm sure older Forensics disks (F.I.R.E, Snarl) etc., have the tool on them.
And I also think that even if port so and so is listed as belonging to this and that innocent application is fairly irrelevant. I know for sure if I wrote a virus/worm (if that's what it is) like this I'd pick ports that would blend in.
That would be the correct way (blend in under ports), however, many malware, virus, scumware, whatever_you_name_it_ware that I've seen have not been so "low key" by using actual names. Instead opting for using misspelled variations: SVCH0ST.exe LSAS.exe, not to say someone hasn't clued themselves in... W/e though... > From what I understand a large anomaly is
what made Jim do some digging, statistics is a wonderful thing, and I'm pretty certain that statistic anomalies like this is not coincidental. The anomaly itself need not be caused by any party that means harm. But the other signs (though vague) of foul play indicates, imho, that it might well be.
Personally... This is what network analyzers are for. I would have segmented this machine off to see exactly what it was doing on my network first. Seen where it was connecting do, then dug into the machine with a forensic disk if it was under my control (non ISP based user). -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- FW: OT? New compromise. Jim Seymour (Mar 28)
- Re: FW: OT? New compromise. Victor Williams (Mar 28)
- Re: FW: OT? New compromise. Jim Seymour (Mar 28)
- Re: FW: OT? New compromise. Mitko Stoyanov (Mar 29)
- Re: FW: OT? New compromise. Jim Seymour (Mar 28)
- <Possible follow-ups>
- Re: OT? New compromise. St John, Richard (Mar 28)
- Re: OT? New compromise. J. Oquendo (Mar 28)
- Re: OT? New compromise. Stian Øvrevåge (Mar 28)
- Re: OT? New compromise. Jim Seymour (Mar 29)
- Re: OT? New compromise. Paul D. Robertson (Mar 29)
- Re: OT? New compromise. J. Oquendo (Mar 29)
- Re: OT? New compromise. Paul D. Robertson (Mar 29)
- Re: OT? New compromise. J. Oquendo (Mar 28)
- Re: OT? New compromise. Victor Williams (Mar 29)
- Re: FW: OT? New compromise. Victor Williams (Mar 28)
- Re: OT? New compromise. Mattias Ahnberg (Mar 29)
- Re: OT? New compromise. Mark (Mar 29)
- Re: OT? New compromise. Richard Golodner (Mar 29)
- Re: OT? New compromise. Frank Knobbe (Mar 31)