Re: [fw-wiz] [OT] tcpdump parsing
From: Damian Gerow (damian_at_sentex.net)
To: firstname.lastname@example.org Date: Wed, 8 Oct 2003 18:32:04 -0400
Thus spake Paul Robertson (email@example.com) [08/10/03 18:20]:
> > I've done some other digging, and have found out that about 99% of my dump
> > is between ports 25 and 32101. Now I just have to figure out why/how people
> > are connecting to 32101, as a full port scan of the computer has turned up
> > nothing but the standard Windows ports listening, three different times.
> You might want to look at the IE bugs that have recently been exploited,
> assuming the machines are Win* based. Checking browser caches and
> histories may yield useful stuff, as will looking for mapped drive shares
> (most Win* worms these days will do the share thing if they can.)
Yep, all these machines /are/ win* based. And as much as I'd love to go
through all their histories and caches, I just don't have that much time.
Since the spamming /does/ re-occur, I've placed my bets on it being a remote
trojan. I just don't know how it is activated, or used, as it doesn't seem
to listen on any TCP/UDP ports. Which is why I want to limit by time and
not by type of traffic -- to see if there's anything specific that goes on
before the spamming starts.
> > Since this has moved far and beyond the scope of the list, I'll refrain from
> > posting anything else.
> No fair, we wanna know what it was!
I've gotten that impression. When I figure it out, I'll post feedback to
firewall-wizards mailing list