[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] strange traffic ?
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] strange traffic ?
- From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 27 Mar 2004 10:31:43 +0530
to rutz@xxxxxxxxxxxxxxxxxxxx :
the sniffer that i has was only logging the headers and not the actual data ...
so i cannot help you there, now have configured it to log all such traffic,
will come back if i manage to capture any packet data
also the jono@xxxxxxxxxxxxxx netcat idea is good as suggested but i am already
using ethereal so i will be able to have exactly what we are looking for ...
and i agree with the jimmy.kuijpers@xxxxxxxxx saying that this might a virus
like on port 4444
from a whole list of them.
michaelx.ham@xxxxxxxxx, some version of W32.Blaster.Worm: ok but since i am
already patched 039 patch even then there are attempts to connect to port 4444,
i thought that after 139 vertor failed there was no 4444 connect attempt...
nicola@xxxxxxxxxxxxx: this traffic is comming from the internet and this
machine is on a public internet ip. and machine is protected by firewalls like
kerio and sygate along with netbios and other carp disconnected from the public
ip
iss@xxxxxx: this is port 139 ( confirmed again ) .... and not port 135
and the initial connect attempt on port 139 is attack vertor.
this used to occur only when i used to bring down sygate firewall... there are
other firewalls that prevent the comprmise and the sinffer is capturing the
data....
thanks for the answers, will get back to the list when i have any packet data
captured with other details also like the machine name / ip and period of
connections and frequency.
- this raised my suspicions because the frequency of the connect attempts on
port 139 followed by multiple attempts on port 4444
thanks guys once again.
-aditya
________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html