lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b7bc1b1f04092122255c9de1af@mail.gmail.com>
From: uberguidoz at gmail.com (GuidoZ)
Subject: Lots of traffic on port 1472 from explorer

I'd definately recommend capturing some of this traffic to see what is
being transmitted. (Harlan is right on.) It's one of the few things
that would great;y help know what is going on.

Something else you can try - make sure your shell command hasn't been
modified in the registry. Also, double check and make sure that the
current "explorer.exe" is the correct one from Microsoft. (Getting the
properties can help, although using a hex editor or resource hacker,
you can change small things without affecting the EXE as a whole.)

What is the OS? Maybe run SFC against it and see what it says. Beyond
that, traffic capture would be very helpful.

--
Peace. ~G


On Tue, 21 Sep 2004 16:59:08 -0700 (PDT), Harlan Carvey
<keydet89@...oo.com> wrote:
> > I removed it, but it seems that something else is
> > amiss,
> > I still see lots of traffic from explorer.exe on the
> > 1472 port.
> 
> Have you captured any of this traffic?
> 
> 
> > The traffic is indeed coming from a system I have
> > control of,
> > I still have no dumps though. I can see nothing
> > worrying apart
> > from the aforementioned keylogger which has now been
> > removed
> 
> Not even this other traffic you've mentioned?
> 
> > Lots of data is transferred from my computer to the
> > outside world,
> > pretty much all to addresses in the 35.xx.xx.xx
> > range on the
> > microsoft-ds port. Huge amount of short lived
> > connections.
> > I thought it looked like worm activity but I might
> > be wrong.
> 
> Or you might not be.  Again, have you captured any of
> the traffic?
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



-- 
Peace. ~G

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ