Re: Trace of 139 attack?
From: S S (shskgk@hotmail.com)Date: 07/25/01
- Previous message: tbos1@sears.com: "cached passwords"
- Maybe in reply to: Eagle: "Trace of 139 attack?"
- Next in thread: Windex King: "Re: Trace of 139 attack?"
- Next in thread: Todd Schubert: "RE: Trace of 139 attack?"
- Reply: Windex King: "Re: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "S S" <shskgk@hotmail.com> To: focus-ms@securityfocus.com Subject: Re: Trace of 139 attack? Date: Wed, 25 Jul 2001 14:24:11 -0600 Message-ID: <F2143rQ3OBaxSljMx9O00004c65@hotmail.com>
<snip>
I have been mucking with having my HIDS execute a simple script once
certain "suspicious" events have occurred. The script basically does:
C:\I AM Canadian>netstat -an | findstr /r "^[^:]*:139[^0-9][^:]*:.*"
TCP 10.10.10.10:139 0.0.0.0:0 LISTENING
That way you get a list of all the machines that are connected to TCP
139 on your box (this needs to be run while the attacker is connected
obviously). This isn't a very elegant solution but I've been at a loss
of what else to do (other than installing FW or NIDS software).
</snip>
Wouldn't this work just as well?
C:\I AM Canadian>netstat -an | find ":139"
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
- Previous message: tbos1@sears.com: "cached passwords"
- Maybe in reply to: Eagle: "Trace of 139 attack?"
- Next in thread: Windex King: "Re: Trace of 139 attack?"
- Next in thread: Todd Schubert: "RE: Trace of 139 attack?"
- Reply: Windex King: "Re: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
