Re: [fw-wiz] OT? New compromise.



Whatever I/P stack you are using, I would start pumping some MSN I/M
packets around on my small subnet for this kind of thing. Mirroring a port
will give you the data and you can analyze with your favorite sniffer. See
what happens as the needed ports come alive and then timeout. It might give
you a better picture.
Richard

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of J.
Oquendo
Sent: Wednesday, March 28, 2007 2:25 PM
To: Firewall Wizards Security Mailing List
Cc: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [fw-wiz] OT? New compromise.

St John, Richard wrote:

Once you determine there might be an issue, I think there used to be a
program called openports which would run on the machine and relate any
LISTENING or ESTABLISHED ports to the actual file that has the port
open. This would then give you the service/process/program waiting for
traffic on that port.
On Windows
/c:\netstat -an |find /i "listening"/

Why download when you can use existing tools...


Others...
#lsof|grep -i listen
#netstat -l|grep "*"
#netstat -a|grep -i listen (for Solaris ... at least 5.10)


--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards