|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: strange windows behaviour.
From: H Carvey (keydet89
yahoo.com)
Date: Wed Oct 08 2003 - 08:52:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <1065470713.644.51.camellocalhost>
Peter,
Maybe we can figure this out if look at it from another perspective...
>I've been trying to find information on this, but the most I've been
>able to come up with is an advisory from symantec's threat management
>system saying Mprox (some sort of MS proxy) is to blame. None of the
>machines I've gone and examined have had this program running or on the
>system anywhere for that matter.
You've said that you've gone and looked at some of the machines...what did you find? I know you didn't find the proxy stuff you were looking for...but what *did* you find? The traffic has to be coming from somewhere, right? One would think that there would have to be a process of some kind generating the traffic.
What is the os of the clients you're dealing with? What is your IR (or as you mentioned, forensics) methodology? What data are you collecting, and how are you collecting it? Do you have any process information that others can view...or the output of process-to-port mapping tools?
Sometimes, asking if anyone else has seen this sort of thing can be useful, but it does not replace good IR and troubleshooting skills.
Harlan
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]