Security Incidents mailing list archives

Re: Strange activity to a laptop?

From: "Lastname, Firstname" <bparis () SORRENTOLACTALIS COM>
Date: Fri, 6 Oct 2000 08:39:18 -0400

I've found "Inzider" to be pretty accurate at determining what proggy is
bound to what port...

http://ntsecurity.nu/toolbox/inzider/index.shtml

Bill Paris
Telecommunication/Network Analyst
Sorrento Lactalis Inc.
716-823-6262 x376
bparis () sorrentolactalis com

-----Original Message-----
From: LOS Ralph [mailto:rlos () ENVESTNET COM]
Sent: Thursday, October 05, 2000 11:23 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Strange activity to a laptop?
Sensitivity: Confidential


Hello everyone.

(This is about as detailed as I can get without revealing too much)

      We have recently had a laptop from a consultant come into our
network, no antivirus software, WinNT 4.0 WS, sp4!
Immediately, my firewall
picks up traffic from the outbound NAT IP on their network
towards this
machine.  Traffic looks like the snippit below.  At first I
thought it might
be SNMP traffic somehow - but it's not.  A detailed scan of
the machine
reveals it was listening on port 1029 (couldn't find anything
open on that
port).  I closed and disabled service after service, until I
was only left
with NT's necessary functionality - and still port 1029 was open and
listening.  I'm totally at a loss.  <snippit below>
      Does ANYONE have any GOOD tools for WinNT/Win2k to find out what
port is bound to what executable/whatever?!  Secondly, are
there programs
that will allow you to effectively 'kill' services (GUI
maybe?) that NT
wouldn't ordinarily allow you to see(if hidden?).  Can
someone provide me
with some GOOD tools to start snooping around this laptop
with?!  I haven't
been able to solve this problem - and it's generating TONS of
traffic on our
network (inbound) that has to be stopped by our firewall.

      I contacted the admin on the other side, he's clueless
so I can't
even get a packet dump of machines sending to this particular
one (since
they're  behind a single IP address/NAT).


* * *big snip here* * *

Ralph M. Los
Internet Systems & Security Admin.          (312) 827-3945 (direct)
EnvestNet Advisory Corp.                          (312)
296-9003 (wireless)

rlos () envestnet com

Current thread:

Strange activity to a laptop? LOS Ralph (Oct 05)
- Re: Strange activity to a laptop? Stefan Wagner (Oct 06)
- <Possible follow-ups>
- Re: Strange activity to a laptop? Johnson, Greg (Oct 06)
- Re: Strange activity to a laptop? Lastname, Firstname (Oct 06)
- Re: Strange activity to a laptop? Frank Knobbe (Oct 08)
- Re: Strange activity to a laptop? Jay Random (Oct 11)
- Re: Strange activity to a laptop? Stephen Quigg (Oct 12)