Re: port 139/445 traffic not picked up by antivirus
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 08/25/04
- Previous message: Karl Levinson [x y] mvp: "Re: CDs that execute code without asking"
- In reply to: Tom: "port 139/445 traffic not picked up by antivirus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Aug 2004 06:21:32 -0400
I would be surprised if a two week old virus wasn't in the anti-virus
updates yet. Try a second opinion scan by going to
http://housecall.antivirus.com Also try running an anti-virus scan of the
server from another Windows computer across the network. It is possible
that whatever it is is using Windows root kit functionality to hide files,
registry values, processes, services and/or ports from the local GUI, and
scanning remotely often allows you to find the hidden files.
Free firewalls like www.sygate.com, www.kerio.com and/or www.zonealarm.com
should tell you which executable is generating that traffic.
www.sysinternals.com has a variety of tools that should help you, such as
filemon and process explorer to show you what files are being accessed.
Search Google for the free tools Silent Runners and RKDetect and run them.
Look at the startup locations on the server using Silent Runners and/or one
of these startup tools:
http://securityadmin.info/faq.asp#startup
You could also press CTRL-ALT-DELETE to bring up Task Manager and tell us
the name of all the processes in the list. For example, if you find one
that is using up a lot of CPU time, or you find one whose name brings up few
or no hits in Google not counting discussions about viruses, then that file
is likely malicious. Note that using file name alone is not a reliable way
to tell which virus it is, but it can sometimes be used to tell whether a
file is abnormal.
Here are some other links that may help:
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden
"Tom" <anonymous@discussions.microsoft.com> wrote in message
news:be9901c489cb$7d3e7c70$a501280a@phx.gbl...
> Having a lot of 139/445 traffic in my network, so much
> that when this virus runs on one of the servers gets a
> event id 2022 -out of connections. All patches and updates
> have been loaded. Been in contact with Trend they picked
> up some spyware appending to secfind.exe, but haven't
> fixed it as yet. We have a mixed enviroment, win2k and XP.
> This only affects the Win2k. Win2k security problem?
>
> Have spoken to Microsoft in S.Africa but they only have a
> sweat and rather charming Gal to help you with virus
> removal tools etc but no where to excalate to.
>
> Been hacking at this for 2 weeks now!!!!!!!!!!
>
>
- Previous message: Karl Levinson [x y] mvp: "Re: CDs that execute code without asking"
- In reply to: Tom: "port 139/445 traffic not picked up by antivirus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
