Full Disclosure mailing list archives

RE: strange traffic ?

From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Sat, 27 Mar 2004 10:31:43 +0530

to rutz () IT-SupportCenter com : 

the sniffer that i has was only logging the headers and not the actual data ... so i cannot help you there, now have 
configured it to log all such traffic, will come back if i manage to capture any packet data

also the jono () microshaft org netcat idea is good as suggested but i am already using ethereal so i will be able to 
have exactly what we are looking for ...



and i agree with the jimmy.kuijpers () swift com saying that this might a virus like on port 4444 
from a whole list of them.

michaelx.ham () intel com, some version of W32.Blaster.Worm: ok but since i am already patched 039 patch even then 
there are attempts to connect to port 4444, i thought that after 139 vertor failed there was no 4444 connect attempt...


nicola () delvacchio it: this traffic is comming from the internet and this machine is on a public internet ip. and 
machine is protected by firewalls like kerio and sygate along with netbios and other carp disconnected from the public 
ip


iss () uni de: this is port 139 ( confirmed again ) .... and not port 135


and the initial connect attempt on port 139 is attack vertor.
this used to occur only when i used to bring down sygate firewall... there are other firewalls that prevent the 
comprmise and the sinffer is capturing the data....


thanks for the answers, will get back to the list when i have any packet data captured with other details also like the 
machine name / ip and period of connections and frequency. 

- this raised my suspicions because the frequency of the connect attempts on port 139 followed by multiple attempts on 
port 4444 

thanks guys once again.

-aditya


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

strange traffic ? Aditya, ALD [Aditya Lalit Deshmukh] (Mar 26)
- Re: strange traffic ? KUIJPERS Jimmy (Mar 26)
- RE: strange traffic ? iss (Mar 26)
- Re: strange traffic ? Nicola Del Vacchio (Mar 26)
- Re: strange traffic ? Jack (Mar 26)
  - RE: strange traffic ? Aditya, ALD [Aditya Lalit Deshmukh] (Mar 27)
- <Possible follow-ups>
- RE: strange traffic ? Utz, Ralph (Mar 26)
  - RE: strange traffic ? Aditya, ALD [Aditya Lalit Deshmukh] (Mar 27)