Re: [fw-wiz] [OT] tcpdump parsing

From: Damian Gerow (damian_at_sentex.net)
Date: 10/09/03

Next message: Michael J. Tubby B.Sc. (Hons) G8TIC: "Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"

Previous message: Damian Gerow: "Mail server security (Was: Re: [fw-wiz] [OT] tcpdump parsing)"
In reply to: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: hermit921: "Re: [fw-wiz] [OT] tcpdump parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 8 Oct 2003 18:32:04 -0400

Thus spake Paul Robertson (proberts@patriot.net) [08/10/03 18:20]:
> > I've done some other digging, and have found out that about 99% of my dump
> > is between ports 25 and 32101. Now I just have to figure out why/how people
> > are connecting to 32101, as a full port scan of the computer has turned up
> > nothing but the standard Windows ports listening, three different times.
>
> You might want to look at the IE bugs that have recently been exploited,
> assuming the machines are Win* based. Checking browser caches and
> histories may yield useful stuff, as will looking for mapped drive shares
> (most Win* worms these days will do the share thing if they can.)

Yep, all these machines /are/ win* based. And as much as I'd love to go
through all their histories and caches, I just don't have that much time.

Since the spamming /does/ re-occur, I've placed my bets on it being a remote
trojan. I just don't know how it is activated, or used, as it doesn't seem
to listen on any TCP/UDP ports. Which is why I want to limit by time and
not by type of traffic -- to see if there's anything specific that goes on
before the spamming starts.

Thanks to

> > Since this has moved far and beyond the scope of the list, I'll refrain from
> > posting anything else.
>
> No fair, we wanna know what it was!

<grin>

I've gotten that impression. When I figure it out, I'll post feedback to
the list.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Michael J. Tubby B.Sc. (Hons) G8TIC: "Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"

Previous message: Damian Gerow: "Mail server security (Was: Re: [fw-wiz] [OT] tcpdump parsing)"
In reply to: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: hermit921: "Re: [fw-wiz] [OT] tcpdump parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]