Re: [fw-wiz] [OT] tcpdump parsing

From: Damian Gerow (damian_at_sentex.net)
Date: 10/09/03

  • Next message: Michael J. Tubby B.Sc. (Hons) G8TIC: "Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 8 Oct 2003 18:32:04 -0400
    
    

    Thus spake Paul Robertson (proberts@patriot.net) [08/10/03 18:20]:
    > > I've done some other digging, and have found out that about 99% of my dump
    > > is between ports 25 and 32101. Now I just have to figure out why/how people
    > > are connecting to 32101, as a full port scan of the computer has turned up
    > > nothing but the standard Windows ports listening, three different times.
    >
    > You might want to look at the IE bugs that have recently been exploited,
    > assuming the machines are Win* based. Checking browser caches and
    > histories may yield useful stuff, as will looking for mapped drive shares
    > (most Win* worms these days will do the share thing if they can.)

    Yep, all these machines /are/ win* based. And as much as I'd love to go
    through all their histories and caches, I just don't have that much time.

    Since the spamming /does/ re-occur, I've placed my bets on it being a remote
    trojan. I just don't know how it is activated, or used, as it doesn't seem
    to listen on any TCP/UDP ports. Which is why I want to limit by time and
    not by type of traffic -- to see if there's anything specific that goes on
    before the spamming starts.

    Thanks to

    > > Since this has moved far and beyond the scope of the list, I'll refrain from
    > > posting anything else.
    >
    > No fair, we wanna know what it was!

    <grin>

    I've gotten that impression. When I figure it out, I'll post feedback to
    the list.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Michael J. Tubby B.Sc. (Hons) G8TIC: "Re: [fw-wiz] Cisco PIX506 problem minxing VPN and NAT"