Re: [fw-wiz] [OT] tcpdump parsing

From: Paul Robertson (proberts_at_patriot.net)
Date: 10/09/03

  • Next message: Damian Gerow: "Mail server security (Was: Re: [fw-wiz] [OT] tcpdump parsing)"
    To: Damian Gerow <damian@sentex.net>
    Date: Wed, 8 Oct 2003 18:29:03 -0400 (EDT)
    
    

    On Wed, 8 Oct 2003, Damian Gerow wrote:

    > I've done some other digging, and have found out that about 99% of my dump
    > is between ports 25 and 32101. Now I just have to figure out why/how people
    > are connecting to 32101, as a full port scan of the computer has turned up
    > nothing but the standard Windows ports listening, three different times.

    You might want to look at the IE bugs that have recently been exploited,
    assuming the machines are Win* based. Checking browser caches and
    histories may yield useful stuff, as will looking for mapped drive shares
    (most Win* worms these days will do the share thing if they can.)

    > Since this has moved far and beyond the scope of the list, I'll refrain from
    > posting anything else.

    No fair, we wanna know what it was!

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Damian Gerow: "Mail server security (Was: Re: [fw-wiz] [OT] tcpdump parsing)"