lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: uberguidoz at gmail.com (GuidoZ)
Subject: Lots of traffic on port 1472 from explorer

Hello Giuseppe, at first glance it sounds like a keylogger, though it
could be anything. Are you able to locate that file on your system? If
so, try getting the properties of it and see what information is
available under the Version tab. Also, you can try opening it up in
Notepad to see what you can make of the API calls and such inside.

You should also try to locate where it's being started from. Check
through the Registry run keys and such - try to see what's linking it
and maybe Google that for some answers.

We know that file names can be deceiving, however some quick Google
hunting showed it might be this keylogger: http://www.keylogpro.com/
(Runs as klp32.exe by default. Name is easily changed.) See what other
information you can gather.

Might want to try killing the EXE and see if anything fails to work.
If you find it in a run key/startup location, disable or delete it
(make a backup to be safe) and see if something doesn't work.


On Tue, 21 Sep 2004 21:13:57 +0200, Giuseppe Milicia <milicia@...cs.dk> wrote:
> Hi guys,
> 
> from a home computer I'm seeing lots of traffic generated from
> explorer on port 1472 towards the microsoft-ds port, typically
> on IP addresses starting with 35.xx.xx.xx
> 
> It looks like a worm but I could not find any references around
> and Trend Micro detects nothing.
> 
> Also there is some hidden process oakklp32.exe which is not shown
> by the taskmanager but is costantly active, again I could not
> find anything about it!
> 
> Ideas? Clues?
> 
> Thanks,
> 
> --
> Giuseppe
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



-- 
Peace. ~G

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ