Re: [fw-wiz] worm?
- From: "Francois Yang" <francois.y@xxxxxxxxx>
- Date: Thu, 1 Feb 2007 15:55:29 -0600
You could use FakeDNS and MailPot to maybe capture what happens after
the connection is created. here is the link to the tools. I haven't
used them, but I know they can be used for things like this.
http://labs.idefense.com/files/labs/releases/previews/map/
On 2/1/07, Paul D. Robertson <paul@xxxxxxxxxxxx> wrote:
On Thu, 1 Feb 2007, Brian Loe wrote:
One of our support technician's machines is attempting to connect to
random IP addresses on port 25 - in a pretty needy fashion. He says
he's scanned the box with the latest updates from McAffee and it
hasn't found anything.
We discovered it because one of my basic (meaning I got it off the
'Net) rules for SEC flagged it as a possible PHEL trojan.
Any thoughts?
See what process keeps opening sockets?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
--
If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology.
Bruce Schneier
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] worm?
- From: Brian Loe
- Re: [fw-wiz] worm?
- From: Paul D. Robertson
- [fw-wiz] worm?
- Prev by Date: Re: [fw-wiz] worm?
- Next by Date: Re: [fw-wiz] worm?
- Previous by thread: Re: [fw-wiz] worm?
- Next by thread: Re: [fw-wiz] worm?
- Index(es):
Relevant Pages
|
