Re: Lots of traffic on port 1472 from explorer

[GuidoZ <uberguidoz () gmail com>]

I'd definately recommend capturing some of this traffic to see what is
being transmitted. (Harlan is right on.) It's one of the few things
that would great;y help know what is going on.

Something else you can try - make sure your shell command hasn't been
modified in the registry. Also, double check and make sure that the
current "explorer.exe" is the correct one from Microsoft. (Getting the
properties can help, although using a hex editor or resource hacker,
you can change small things without affecting the EXE as a whole.)

What is the OS? Maybe run SFC against it and see what it says. Beyond
that, traffic capture would be very helpful.

--
Peace. ~G


On Tue, 21 Sep 2004 16:59:08 -0700 (PDT), Harlan Carvey
<keydet89 () yahoo com> wrote:
> > I removed it, but it seems that something else is
> > amiss,
> > I still see lots of traffic from explorer.exe on the
> > 1472 port.
>
> Have you captured any of this traffic?
>
>
> > The traffic is indeed coming from a system I have
> > control of,
> > I still have no dumps though. I can see nothing
> > worrying apart
> > from the aforementioned keylogger which has now been
> > removed
>
> Not even this other traffic you've mentioned?
>
> > Lots of data is transferred from my computer to the
> > outside world,
> > pretty much all to addresses in the 35.xx.xx.xx
> > range on the
> > microsoft-ds port. Huge amount of short lived
> > connections.
> > I thought it looked like worm activity but I might
> > be wrong.
>
> Or you might not be.  Again, have you captured any of
> the traffic?
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



-- 
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html