Network Security: Detailed info on Re: Port Zero

Subject:	Re: Port Zero
Date:	Tue, 19 Jul 2005 07:38:23 -0700 (PDT)

I had in incident yesterday (18 June 2005), where a
client's Windows box listed almost every possible
port as open, listening in the same way described
above. Similiar netstat -an output as above. From my
experience this isn't normal.

A few hours later the machine rapidly starting
sending packets to random addresses on port 443.

What could this possibly be? Is it a
virus/backdoor/something malicious?


Well, there is a way to find out.  One tool to use is
Foundstone's fport.exe, but I prefer DiamondCS's
openports.exe.  These tools are used for
process-to-port mapping; ie, determining which
processes on the system are using which port.

If the client's system is/was Windows XP, take a look
at the output of "netstat /?", paying particular
attention to the '-o' and '-b' options.

Harlan


------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Port Zero, (continued) Re: Port Zero, Lee Dilkie mysql attack, Pall Thayer Re: mysql attack, Joel Esler Re: mysql attack, W. Guhan Iyer Re: mysql attack, Pall Thayer Re: Port Zero, Pieter de Boer RE: Port Zero, Wimpie du Plessis Re: Port Zero, windows RE: Port Zero, Jim Harrison (ISA) Re: Port Zero, nony101 Re: Port Zero, Harlan Carvey <= Re: Port Zero, Andrew Simmons

Previous by Date:	Re: Port Zero, nony101
Next by Date:	Re: Port Zero, Andrew Simmons
Previous by Thread:	Re: Port Zero, nony101
Next by Thread:	Re: Port Zero, Andrew Simmons
Indexes:	[Date] [Thread] [Top] [All Lists]