Full Disclosure mailing list archives
RE: svchost.exe try to send http outside
From: "CIRT.DK Mailinglists" <mailinglists () cirt dk>
Date: Wed, 17 Aug 2005 20:11:47 +0200
You could also try to use Tlist this can show what processes are running in the svchost process Dennis Rand CIRT.DK -----Original Message----- From: Paul Schmehl [mailto:pauls () utdallas edu] Sent: Wednesday, August 17, 2005 8:06 PM To: howard.lee () guoco com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] svchost.exe try to send http outside --On Wednesday, August 17, 2005 18:12:26 +0800 howard.lee () guoco com wrote:
Dear all, I discovered that an "svchost.exe" start when the server start. This svchost.exe try to sync_sent to random http host when I view from netstat, active port, and pviewer.
The first thing you should do is search for svchost.exe. If you find several copies, look at the locations and sizes of each file. If you find one much larger than the others, check it's properties. It is most likely not a valid Windows executable. A number of malicious programs like to use the name svchost.exe for their binaries, because a normal Windows host will have several svchost.exe processes running. If *all* the copies of svchost.exe are around 15K or so and are in the "usual" locations (%SYSTEMDIR%, %SYSTEM32DIR%,%WINDIR%, then check the properties of every one to make sure they are valid MS binaries. If you discover one that's not valid, then you're going to have to figure out how it got on the server. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Josh Zlatin-Amishav (Aug 17)
- Re: svchost.exe try to send http outside Dave Korn (Aug 17)
- RE: svchost.exe try to send http outside Mike (Aug 17)
- RE: svchost.exe try to send http outside Aditya Deshmukh (Aug 17)
- Re: svchost.exe try to send http outside Paul Schmehl (Aug 17)
- RE: svchost.exe try to send http outside CIRT.DK Mailinglists (Aug 17)
- <Possible follow-ups>
- RE: svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Mark (Aug 17)
- Re: svchost.exe try to send http outside Simon Richter (Aug 17)
- RE: svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Josh Zlatin-Amishav (Aug 17)