RE: [fw-wiz] Strange outbound connections.

From: Tony Miedaner (miedaner_at_twcny.rr.com)
Date: 08/28/03

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls" 
    To: Ben Nagy <ben@iagu.net>, "'George J. Jahchan, Eng.'" <Firewall-Wizards@Compucenter.org>, "'Firewall Wizards List'" <firewall-wizards@honor.icsalabs.com>
Date: Wed, 27 Aug 2003 18:42:00 -0400

    Sysinternal's TDIMON is very good at finding apps that open tcp and udp
    connections.

    At 10:57 AM 8/27/2003 +0200, Ben Nagy wrote:
    >Well, if you really want to catch someone, then start digging out your
    >forensics tools.
    >
    >Sniff these weird packets, find out what's in them. Fire up a known-good
    >cmd.exe and dir /a for atime mtime and ctime on everything. Run fport to
    >check processes that are holding onto unexpected ports. Then check all the
    >event logs, and dump the registry and comb through that just in case.
    >Eventually you might turn up something that will tell you if you're correct
    >that the system is trojaned, and hopefully how and why.
    >
    >My own recommendation is that you immediately pull out the harddrive, get a
    >new one, and just format and rebuild the box from scratch.
    >
    >After that, you can look at everything readonly on the bench. You might miss
    >some evidence (assuming you want to 'nail people down') but what you have
    >you won't be messing with. For extra points you can use TCT or something -
    >although it's probably best, if you decide that you want to take legal
    >action, to ask people that know about these things in your local legal
    >climate.
    >
    >ben
    >
    > > -----Original Message-----
    > > From: firewall-wizards-admin@honor.icsalabs.com
    > > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    >[...]
    > > I strongly suspect a trojan lurking in the system. Any
    > > idea(s) on how to
    > > nail down the culprit?
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"