|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Port Zero
From: Harlan Carvey (keydet89
yahoo.com)
Date: Tue Jul 19 2005 - 09:38:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> I had in incident yesterday (18 June 2005), where a
> client's Windows box listed almost every possible
> port as open, listening in the same way described
> above. Similiar netstat -an output as above. From my
> experience this isn't normal.
>
> A few hours later the machine rapidly starting
> sending packets to random addresses on port 443.
>
> What could this possibly be? Is it a
> virus/backdoor/something malicious?
Well, there is a way to find out. One tool to use is
Foundstone's fport.exe, but I prefer DiamondCS's
openports.exe. These tools are used for
process-to-port mapping; ie, determining which
processes on the system are using which port.
If the client's system is/was Windows XP, take a look
at the output of "netstat /?", paying particular
attention to the '-o' and '-b' options.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]