lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Lots of traffic on port 1472 from explorer

Giuseppe,

> from a home computer I'm seeing lots of traffic
> generated from
> explorer on port 1472 towards the microsoft-ds port,
> typically
> on IP addresses starting with 35.xx.xx.xx

This isn't clear...is it coming from a system you have
control of?  I'm going to assume that this is the
case, since it seems you were able to run some kind of
port to process mapping tool.

> It looks like a worm but I could not find any
> references around
> and Trend Micro detects nothing.

What makes you say that it looks like a worm?  What
kind of activity are you seeing?  Do you have
captures?

> Also there is some hidden process oakklp32.exe which
> is not shown
> by the taskmanager but is costantly active, again I
> could not find anything about it!

How is the process hidden?  Just b/c it doesn't appear
in the Task Manager doesn't mean that it's
hidden...after all, you found it somehow.  

And I'm not surprised that you're not finding anything
about it, as processes can be named anything.
 
> Ideas? Clues?

Where is the executable located on your system?  Do
you have a copy of it?  If not, why?  If you do, have
you run strings.exe against the file, or have you done
any other analysis?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ