| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA4nMfdrDfzUmGWYpeSwubl8KAAAAQAAAAnhTui+fezkqFHzHRygElyAEAAAAA@uni.de> From: iss at uni.de (iss@....de) Subject: strange traffic ? > Dear list, > i am seeing strange traffic ... first something connects to > 139 on windows workstation ... 2 packets causes the svchost to crash. > and then i start seeing traffic to port 4444 from the same ip. Sounds like a lovesan variation or some RPC-exploit. Are you sure port 139 is used and not 135?? > what is this traffic i am seeing ? any new kind of malware > trying to open of port 4444 with the initial vector of > infection on port 139 ? Ever tried to netcat to port 4444 on this machine? > the machine is fully patched and protected by firewall from > outside world with a sniffer logging all the data ie scr, dst > ip and ports numbers ( this is how i know the above info ) Well then, the attacker must be in you local lan. Please provide more information / logfiles Marco Ellmann mailto:iss@....de -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2876 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040326/7e65d105/smime.bin
Powered by blists - more mailing lists