XP Attack tracking

From: Nick (npwMa_at_yahoo.com)
Date: 06/29/03 

Date: Sun, 29 Jun 2003 07:35:11 -0700

This is the infomation tracked (remember that I didn't
update the dll recently):
--------------------------------
A new DLL has been loaded by Generic Host Process for
Win32 Services. This could
happen if you have updated it recently. Do
you want to allow it to access the network?
===============================

#The new DLLs have been loaded:
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll

To disable DLL Authentication go to the security tab
under the Tools, Options menu.

File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : Generic Host Process for Win32
Services
File Path : C:\WINDOWS\system32\svchost.exe
Process ID : 3C8 (Heximal) 968 (Decimal)

Connection origin : local initiated
Protocol : UDP
Local Address : 172.143.32.55
Local Port : 3086
Remote Name :
Remote Address : 239.255.255.250
Remote Port : 1900 (SSDP - Simple Service
Discovery Protocol)

Ethernet packet details:
Ethernet II (Packet Length: 175)
        Destination: 04-00-20-00-04-00
        Source: 00-00-04-00-00-00
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 1
        Protocol: 0x11 (UDP - User Datagram Protocol)
        Header checksum: 0x28f2 (Correct)
        Source: 172.143.32.55
        Destination: 239.255.255.250
User Datagram Protocol
        Source port: 3086
        Destination port: 1900
        Length: 8
        Checksum: 0xaf88 (Correct)
Data (141 Bytes)

Binary dump of the packet:
0000: 04 00 20 00 04 00 00 00 : 04 00 00 00 08 00 45 00
| .. ...........E.
0010: 00 A1 0A 63 00 00 01 11 : F2 28 AC 8F 20 37 EF FF
| ...c.....(.. 7..
0020: FF FA 0C 0E 07 6C 00 8D : 88 AF 4D 2D 53 45 41 52
| .....l....M-SEAR
0030: 43 48 20 2A 20 48 54 54 : 50 2F 31 2E 31 0D 0A 48
| CH * HTTP/1.1..H
0040: 6F 73 74 3A 32 33 39 2E : 32 35 35 2E 32 35 35 2E
| ost:239.255.255.
0050: 32 35 30 3A 31 39 30 30 : 0D 0A 53 54 3A 75 72 6E
| 250:1900..ST:urn
0060: 3A 73 63 68 65 6D 61 73 : 2D 75 70 6E 70 2D 6F 72
| :schemas-upnp-or
0070: 67 3A 64 65 76 69 63 65 : 3A 49 6E 74 65 72 6E 65
| g:device:Interne
0080: 74 47 61 74 65 77 61 79 : 44 65 76 69 63 65 3A 31
| tGatewayDevice:1
0090: 0D 0A 4D 61 6E 3A 22 73 : 73 64 70 3A 64 69 73 63
| ..Man:"ssdp:disc
00A0: 6F 76 65 72 22 0D 0A 4D : 58 3A 33 0D 0A 0D 0A
| over"..MX:3....

Relevant Pages

  • Re: Talking with USB GPS in VB.Net
    ... Your DLL work with USB or only with serial port?. ... There is one "standard" GPS protocol, ... DecodeGPS from my homepage. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: SAN sample code
    ... > BSD sockets compatible at user level. ... Just expose TDI as the upper egde of the protocol and write the WinSock helper ... > AFD equivalent - User mode DLL ... No need in AFD equivalent. ...
    (microsoft.public.development.device.drivers)
  • Re: modem to send numeric page?
    ... What you have to implement is the TAP protocol ... (Telocator Alphanumeric Paging protocol -- this is not the TAPI protocol). ... however the supplier of the dll no longer ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Definierte Funktion aus anderem Prozess aufrufen
    ... Für die Darstellung gibts die DLL (Pluggable Protocol) die nichts weiter tut als den Request 1:1 an eine exportierte Funktion aus der exe weiterzuleiten und dort die Daten anzufordern. ... Die DLL mit dem plugaable protocoll wird doch in den selben Prozessraum geladen den die MFC EXE hat. ...
    (microsoft.public.de.vc)
  • Re: Application, dll and driver design
    ... How big can semaphore "lMaximumCount" can be. ... > But there is one problem with replacing window messages with packet reading ... I have 15 processes all talking to each other and Dll process. ...
    (microsoft.public.win32.programmer.ui)
Loading