Re: Trace of 139 attack?
From: Windex King (WindexKing@mor-lan-d.com)Date: 07/26/01
- Previous message: Pidgorny, Slav: "RE: Hacked NT/2K box"
- In reply to: S S: "Re: Trace of 139 attack?"
- Next in thread: Todd Schubert: "RE: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B602BB3.66137F78@mor-lan-d.com> Date: Thu, 26 Jul 2001 10:39:47 -0400 From: Windex King <WindexKing@mor-lan-d.com> To: focus-ms@securityfocus.com Subject: Re: Trace of 139 attack?
S S wrote:
>>
>> <snip>
>>
>> C:\I AM Canadian>netstat -an | findstr /r "^[^:]*:139[^0-9][^:]*:.*"
>> TCP 10.10.10.10:139 0.0.0.0:0 LISTENING
>>
>> </snip>
>
> Wouldn't this work just as well?
>
> C:\I AM Canadian>netstat -an | find ":139"
Not really IMHO. The regex I used should only show listening
connections on or remote connections to TCP port 139 on the
server from which the command is run.
Yours will show all connections to/from/listening on ports
139, 139[0-9] as well as 139[0-9][0-9].
Mine is bad enough in that you still have to do the work to
figure out which of the inbound connections is from the attacker
(assuming there is more than one inbound connection established).
The other thing I forgot to mention is that this info will be
logged somewhere. I typically send it over an encrypted channel
to my HIDS Manager for safe keeping.
W K
- Previous message: Pidgorny, Slav: "RE: Hacked NT/2K box"
- In reply to: S S: "Re: Trace of 139 attack?"
- Next in thread: Todd Schubert: "RE: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
