Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-Disclosure] Lots of traffic on port 1472 from explorer
From: GuidoZ (uberguidozgmail.com)
Date: Wed Sep 22 2004 - 00:25:38 CDT
I'd definately recommend capturing some of this traffic to see what is
being transmitted. (Harlan is right on.) It's one of the few things
that would great;y help know what is going on.
Something else you can try - make sure your shell command hasn't been
modified in the registry. Also, double check and make sure that the
current "explorer.exe" is the correct one from Microsoft. (Getting the
properties can help, although using a hex editor or resource hacker,
you can change small things without affecting the EXE as a whole.)
What is the OS? Maybe run SFC against it and see what it says. Beyond
that, traffic capture would be very helpful.
On Tue, 21 Sep 2004 16:59:08 -0700 (PDT), Harlan Carvey
> > I removed it, but it seems that something else is
> > amiss,
> > I still see lots of traffic from explorer.exe on the
> > 1472 port.
> Have you captured any of this traffic?
> > The traffic is indeed coming from a system I have
> > control of,
> > I still have no dumps though. I can see nothing
> > worrying apart
> > from the aforementioned keylogger which has now been
> > removed
> Not even this other traffic you've mentioned?
> > Lots of data is transferred from my computer to the
> > outside world,
> > pretty much all to addresses in the 35.xx.xx.xx
> > range on the
> > microsoft-ds port. Huge amount of short lived
> > connections.
> > I thought it looked like worm activity but I might
> > be wrong.
> Or you might not be. Again, have you captured any of
> the traffic?
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.