[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Lots of traffic on port 1472 from explorer
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Lots of traffic on port 1472 from explorer
- From: Giuseppe Milicia <milicia@xxxxxxxx>
- Date: Wed, 22 Sep 2004 00:21:58 +0200
Guys,
thanks a lot for the tips, indeed there was a KLP keylogger.
I removed it, but it seems that something else is amiss,
I still see lots of traffic from explorer.exe on the 1472 port.
> > from a home computer I'm seeing lots of traffic
> > generated from
> > explorer on port 1472 towards the microsoft-ds port,
> > typically
> > on IP addresses starting with 35.xx.xx.xx
>
> This isn't clear...is it coming from a system you have
> control of? I'm going to assume that this is the
> case, since it seems you were able to run some kind of
> port to process mapping tool.
The traffic is indeed coming from a system I have control of,
I still have no dumps though. I can see nothing worrying apart
from the aforementioned keylogger which has now been removed
> > It looks like a worm but I could not find any
> > references around
> > and Trend Micro detects nothing.
>
> What makes you say that it looks like a worm? What
> kind of activity are you seeing? Do you have
> captures?
Lots of data is transferred from my computer to the outside world,
pretty much all to addresses in the 35.xx.xx.xx range on the
microsoft-ds port. Huge amount of short lived connections.
I thought it looked like worm activity but I might be wrong.
Thanks!
--
Giuseppe
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html