Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: strange traffic ?
From: Nicola Del Vacchio <nicola () delvacchio it>
Date: Fri, 26 Mar 2004 17:54:41 +0100

Il ven, 2004-03-26 alle 16:32, Aditya, ALD [Aditya Lalit Deshmukh] ha
scritto:
Dear list,
i am seeing strange traffic ... first something connects to 139 on
windows workstation ... 2 packets causes the svchost to crash.
and then i start seeing traffic to port 4444 from the same ip.
 

from what source the 139 (UDP or TCP) traffic is coming (internal lan?
dmz? RAS? firewall?????)

what is the direction of the traffic on port 4444 (TCP or UDP?) fom
attacker to workstation or workstation to attacker?

what is this traffic i am seeing ? any new kind of malware trying to
open of port 4444 with the initial vector of infection on port 139 ?
 
 
the machine is fully patched and protected by firewall from outside
world with a sniffer logging all the data ie scr, dst ip and ports
numbers ( this is how i know the above info ) 
 
a machine is fully patched only with released patches ;-)



and nothing suspecipous is there on the machine also ... since the
machine is under heavy watch anything unsual would be caught
immediatly.... 
 
 
yes, a trace will be apreciated...


ciao
nicola


-aditya

Delivered using the Free Personal Edition of Mailtraq
(www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault