lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: milicia at brics.dk (Giuseppe Milicia)
Subject: Lots of traffic on port 1472 from explorer

Guys,

thanks a lot for the tips, indeed there was a KLP keylogger.

I removed it, but it seems that something else is amiss,
I still see lots of traffic from explorer.exe on the 1472 port.

> > from a home computer I'm seeing lots of traffic
> > generated from
> > explorer on port 1472 towards the microsoft-ds port,
> > typically
> > on IP addresses starting with 35.xx.xx.xx
>
> This isn't clear...is it coming from a system you have
> control of?  I'm going to assume that this is the
> case, since it seems you were able to run some kind of
> port to process mapping tool.

The traffic is indeed coming from a system I have control of,
I still have no dumps though. I can see nothing worrying apart
from the aforementioned keylogger which has now been removed

> > It looks like a worm but I could not find any
> > references around
> > and Trend Micro detects nothing.
>
> What makes you say that it looks like a worm?  What
> kind of activity are you seeing?  Do you have
> captures?

Lots of data is transferred from my computer to the outside world,
pretty much all to addresses in the 35.xx.xx.xx range on the
microsoft-ds port. Huge amount of short lived connections.
I thought it looked like worm activity but I might be wrong.

Thanks!

--
Giuseppe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ