RE: SYN_SENT to port 8081
tleroy_at_rochester.rr.com
Date: 02/27/04
- Previous message: Jacob Bresciani: "Re: SYN_SENT to port 8081"
- Maybe in reply to: Ted LeRoy: "SYN_SENT to port 8081"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: brian@centurionservice.com, tleroy@rochester.rr.com, focus-ms@securityfocus.com Date: Fri, 27 Feb 2004 17:29:54 -0500
Everyone,
Thanks for the outstanding support! I received many responses to my
posting.
A registry search for the IP did not turn up anything.
fport only seems to be available for NT based OS's.
I found the problem with Process Explorer by Sysinterenals.com. It's
a great free Task Manager-like utility I found at SysInternals' site which
was recommended by Miroslaw Chorazy (Thanks Miroslaw!).
I saw an entry called WindowsUpd1.exe. I killed the process using
ProcessExplorer, did a netstat -a, and the strange entry was gone.
I did a google search for WindowsUpd1.exe and found that some scumware
called VirtuMonde was responsible. I followed the removal instructions and
appear to be running clean.
I'm surprised Spybot Search & Destroy didn't find it.
Thanks To All!
Sincerely,
Ted LeRoy
MCSE(NT/2000),CCNA, A+
tleroy@rochester.rr.com
Original Message:
-----------------
From: Brian Glover brian@centurionservice.com
Date: Fri, 27 Feb 2004 13:06:59 -0600
To: tleroy@rochester.rr.com, focus-ms@securityfocus.com
Subject: RE: SYN_SENT to port 8081
Ted-
You could narrow it down to the application utilizing the outgoing port
with Fport from Foundstone:
http://www.foundstone.com/resources/proddesc/fport.htm
Regards,
Brian Glover
-----Original Message-----
From: Ted LeRoy [mailto:tleroy@rochester.rr.com]
Sent: Friday, February 27, 2004 11:23 AM
To: focus-ms@securityfocus.com
Subject: SYN_SENT to port 8081
Hello,
I have a Windows 98 Second Edition machine that's consistently
sending SYN_SENT packets to 64.186.152.176:8081. I've run a full virus
scan, and run spybot search & destroy, but the transmission is still
happening. I have not done all Windows 98 updates yet, and am in the
process of doing so.
Below is a copy of the output from a netstat -a:
Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.
C:\WINDOWS\Desktop>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP fns010:1032 FNS010:0 LISTENING
TCP fns010:42510 FNS010:0 LISTENING
TCP fns010:1026 FNS010:0 LISTENING
TCP fns010:1025 FNS010:0 LISTENING
TCP fns010:1025 ROCHBDC:nbsession ESTABLISHED
TCP fns010:1029 FNS010:0 LISTENING
TCP fns010:1032 64.186.152.176:8081 SYN_SENT
TCP fns010:42508 FNS010:0 LISTENING
TCP fns010:137 FNS010:0 LISTENING
TCP fns010:138 FNS010:0 LISTENING
TCP fns010:nbsession FNS010:0 LISTENING
UDP fns010:42508 *:*
UDP fns010:nbname *:*
UDP fns010:nbdatagram *:*
Google and Microsoft searches have yielded little. Does anyone out
there know of an attack that evades Spybot and CA Anti-Virus, and
exhibits the characteristics above?
Sincerely,
Ted LeRoy
MCSE(NT/2000), CCNA, A+
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- --------------------------------------------------------------------------- -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Jacob Bresciani: "Re: SYN_SENT to port 8081"
- Maybe in reply to: Ted LeRoy: "SYN_SENT to port 8081"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
