Re: Port Zero
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 07/19/05
- Previous message: nony101_at_last.za.net: "Re: Port Zero"
- In reply to: nony101_at_last.za.net: "Re: Port Zero"
- Next in thread: Andrew Simmons: "Re: Port Zero"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Jul 2005 07:38:23 -0700 (PDT) To: nony101@last.za.net, incidents@securityfocus.com
> I had in incident yesterday (18 June 2005), where a
> client's Windows box listed almost every possible
> port as open, listening in the same way described
> above. Similiar netstat -an output as above. From my
> experience this isn't normal.
>
> A few hours later the machine rapidly starting
> sending packets to random addresses on port 443.
>
> What could this possibly be? Is it a
> virus/backdoor/something malicious?
Well, there is a way to find out. One tool to use is
Foundstone's fport.exe, but I prefer DiamondCS's
openports.exe. These tools are used for
process-to-port mapping; ie, determining which
processes on the system are using which port.
If the client's system is/was Windows XP, take a look
at the output of "netstat /?", paying particular
attention to the '-o' and '-b' options.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
- Previous message: nony101_at_last.za.net: "Re: Port Zero"
- In reply to: nony101_at_last.za.net: "Re: Port Zero"
- Next in thread: Andrew Simmons: "Re: Port Zero"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
