RE: ntsds.exe or ntsdc.exe

From: Michael Ward (Mward@roseglen.com)
Date: 04/04/02


Date: Wed, 3 Apr 2002 17:19:05 -0500
From: "Michael Ward" <Mward@roseglen.com>
To: "Hunter Ely" <hely1@lsu.edu>, <focus-ms@lists.securityfocus.com>

Did you do any packet captures? Maybe if you captured some packets you
could analyze the ports that were being used and the protocol and then
figure out if it was possibly a Trojan or IRC bot... (or something of
the likes). I wouldn't be surprised being the machines are on a campus.

-Mike

-----Original Message-----
From: Hunter Ely [mailto:hely1@lsu.edu]
Sent: Wednesday, April 03, 2002 2:27 PM
To: focus-ms@lists.securityfocus.com
Subject: ntsds.exe or ntsdc.exe

Recently some computers on a few LANs on our network were sending full
size
packets and were the top talkers on campus. When we looked into this
further, it appeared that all the machines were Windows machines with a
service called either ntsds.exe or ntsdc.exe. This service couldn't be
stopped. The only way to keep it from loading was to rename the file.
The
traffic ceased when we finally were able to stop the service. I can't
seem
to find anything about this service anywhere. Has anyone else on the
list
experienced this or can point me in the right direction? Thanks
------------------------------------------------------
Hunter Ely
Network Security Analyst, Office of Computing Services
Louisiana State University
http://hunter.lsu.edu



Relevant Pages

  • Re: Internet traffic dataset
    ... Organizations generally won't make even "sanitized" packet captures ... Does anyone know if there is a collection of internet traffic datasets anywhere? ... and I am looking for a much larger dataset, say 1-10 million packets. ... Securing Your Online Data Transfer with SSL. ...
    (Focus-IDS)
  • The quest for pseudo-anonymity.
    ... inherently insecure and "messy". ... their exact locations signposted? ... poorly-configured or otherwise sickly machines would be found to be ... crafting my packets to confuse you, ...
    (comp.unix.bsd.openbsd.misc)
  • The quest for pseudo-anonymity.
    ... inherently insecure and "messy". ... their exact locations signposted? ... poorly-configured or otherwise sickly machines would be found to be ... crafting my packets to confuse you, ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Mathematics and Cryptography
    ... the idea is to view communicating machines ... be extra packets or even continuous packets sent between machines for ... those goals are obtained and how and why they might sometimes fail. ... True for any cryptography. ...
    (sci.crypt)
  • Re: How risky is it to have a web server on the internal LAN?
    ... packets arriving on 123.124.125.126 are presented to *all* machines on ... Other machines won't even see ... NAT router, but you lose a lot of that protection if that 2nd router ... "The Internet, a sort of ersatz counterfeit of real life" ...
    (uk.telecom.broadband)