Re: [fw-wiz] OT? New compromise.



On Thu, 2007-03-29 at 17:12 -0400, Mike Barkett wrote:
On Windows
/c:\netstat -an |find /i "listening"/

There are tools like openports or the sysinternals set you may

Windows: netstat -aon
Linux: netstat -apn

Of course all these tools only work if the application uses the OS'es IP
stack. Any decent rootkitted malware, that puts it's on packets on the
wire and sniffs the responses promiscuously, won't show up in those
lists. You can see the packets with tcpdump/sniffers, but won't be able
to correlate them back to an application (unless you do some CPU
utilization sample and correlate that with the observed network traffic,
but you'd need to be able to see the app in the first place, so if it's
hidden by a rootkit, that won't help you either).

Just because nothing shows up in netstat doesn't mean that there isn't
an application promiscuously listening for data to that port.

Regards,
Frank



--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • video drivers are locked up; panic during shutdown
    ... ipcs: shmsegs: invalid address ... data packets ... connections established ...
    (freebsd-current)
  • Re: syslog server, RH ES 4, large amounts of UDP loss. please help
    ... 26 packets to unknown port received. ... Below I see no recieve errors, but netstat reports recieve ... stats are only looking at the Ethernet level errors in the stack. ... the higher levels on the receiving system stack are tripping over themselves. ...
    (comp.os.linux.networking)
  • Re: syslog server, RH ES 4, large amounts of UDP loss. please help
    ... 26 packets to unknown port received. ... all inbound udp except syslog that tools like netstat would not record ... the higher levels on the receiving system stack are tripping over themselves. ... Looks like syslog may have a memory ...
    (comp.os.linux.networking)
  • Re: Network Monitorying Tool in a line command
    ... The following is the sample output of the netstat -i utility: ... Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue ... l Mtu - The maximum size of the packets that are transmitted on the ... tuning your network because the netstat utility reports data on network ...
    (comp.unix.solaris)
  • Re: Sniffer for Windows That Shows Process ID?
    ... Netstat is not a *historical* trace of packets. ... If your application is to associate a listening port with a process, ... sequence of components involved in creating the connection ...
    (microsoft.public.security)