RE: [fw-wiz] Strange outbound connections.
From: Ben Nagy (ben_at_iagu.net)
To: "'George J. Jahchan, Eng.'" <Firewall-Wizards@Compucenter.org>, "'Firewall Wizards List'" <firstname.lastname@example.org> Date: Wed, 27 Aug 2003 10:57:23 +0200
Well, if you really want to catch someone, then start digging out your
Sniff these weird packets, find out what's in them. Fire up a known-good
cmd.exe and dir /a for atime mtime and ctime on everything. Run fport to
check processes that are holding onto unexpected ports. Then check all the
event logs, and dump the registry and comb through that just in case.
Eventually you might turn up something that will tell you if you're correct
that the system is trojaned, and hopefully how and why.
My own recommendation is that you immediately pull out the harddrive, get a
new one, and just format and rebuild the box from scratch.
After that, you can look at everything readonly on the bench. You might miss
some evidence (assuming you want to 'nail people down') but what you have
you won't be messing with. For extra points you can use TCT or something -
although it's probably best, if you decide that you want to take legal
action, to ask people that know about these things in your local legal
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf
> I strongly suspect a trojan lurking in the system. Any
> idea(s) on how to
> nail down the culprit?
firewall-wizards mailing list