lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA4nMfdrDfzUmGWYpeSwubl8KAAAAQAAAAnhTui+fezkqFHzHRygElyAEAAAAA@uni.de>
From: iss at uni.de (iss@....de)
Subject: strange traffic ?

> Dear list,
> i am seeing strange traffic ... first something connects to 
> 139 on windows workstation ... 2 packets causes the svchost to crash.
> and then i start seeing traffic to port 4444 from the same ip.

Sounds like a lovesan variation or some RPC-exploit. Are you sure port 139
is used and not 135??
  
> what is this traffic i am seeing ? any new kind of malware 
> trying to open of port 4444 with the initial vector of 
> infection on port 139 ?

Ever tried to netcat to port 4444 on this machine?

> the machine is fully patched and protected by firewall from 
> outside world with a sniffer logging all the data ie scr, dst 
> ip and ports numbers ( this is how i know the above info ) 
  
Well then, the attacker must be in you local lan. Please provide more
information / logfiles


Marco Ellmann
mailto:iss@....de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2876 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040326/7e65d105/smime.bin

Powered by blists - more mailing lists