[fw-wiz] Strange outbound connections.
From: George J. Jahchan, Eng. (Firewall-Wizards_at_Compucenter.org)
Date: 08/26/03
- Previous message: Bret Watson: "Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: Ben Nagy: "RE: [fw-wiz] Strange outbound connections."
- Reply: Ben Nagy: "RE: [fw-wiz] Strange outbound connections."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Firewall Wizards List" <firewall-wizards@honor.icsalabs.com> Date: Tue, 26 Aug 2003 12:48:26 +0300
On a Win2K Pro station, I am seeing in the packet filter log a couple of
times a day blocked outbound UDP connection attempts, always from port
source port 17664 on LAN IP to the IP addresses of DNS Servers on the
Internet (configured in TCP/IP DNS network settings), ports 66, 70 (majority
of attempts) and 113. The anti-virus with up-to-date definitions says the
system is clean. The system is on a 3-station + Win2K DC LAN, with no WAN
connections.
Packet filter policy (stateful) is to explicitly allow connections from/to
valid services + LAN IP address combos (only the used addresses + broadcast
address), all else being denied and logged.
An audit of running processes did not reveal anything that raised suspicion.
I strongly suspect a trojan lurking in the system. Any idea(s) on how to
nail down the culprit?
TIA
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Bret Watson: "Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: Ben Nagy: "RE: [fw-wiz] Strange outbound connections."
- Reply: Ben Nagy: "RE: [fw-wiz] Strange outbound connections."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
