lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ELEOLHOJFMBPBFCJHOCIGENDDOAA.aditya.deshmukh@online.gateway.technolabs.net>
From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [Aditya Lalit Deshmukh])
Subject: strange traffic ?

to rutz@...SupportCenter.com : 

the sniffer that i has was only logging the headers and not the actual data ... so i cannot help you there, now have configured it to log all such traffic, will come back if i manage to capture any packet data

also the jono@...roshaft.org netcat idea is good as suggested but i am already using ethereal so i will be able to have exactly what we are looking for ...



and i agree with the jimmy.kuijpers@...ft.com saying that this might a virus like on port 4444 
from a whole list of them.

michaelx.ham@...el.com, some version of W32.Blaster.Worm: ok but since i am already patched 039 patch even then there are attempts to connect to port 4444, i thought that after 139 vertor failed there was no 4444 connect attempt...


nicola@...vacchio.it: this traffic is comming from the internet and this machine is on a public internet ip. and machine is protected by firewalls like kerio and sygate along with netbios and other carp disconnected from the public ip


iss@....de: this is port 139 ( confirmed again ) .... and not port 135


and the initial connect attempt on port 139 is attack vertor.
this used to occur only when i used to bring down sygate firewall... there are other firewalls that prevent the comprmise and the sinffer is capturing the data....


thanks for the answers, will get back to the list when i have any packet data captured with other details also like the machine name / ip and period of connections and frequency. 

- this raised my suspicions because the frequency of the connect attempts on port 139 followed by multiple attempts on port 4444 

thanks guys once again.

-aditya


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)


Powered by blists - more mailing lists