Try fport, track it back to the apps running on that port...that's where you start. Then scan those files and/or monitor traffic.
Ken Director of Rapid Response Team -----Original Message----- From: Ted Pham [mailto:[EMAIL PROTECTED] Sent: Thursday, July 06, 2006 9:51 PM To: [EMAIL PROTECTED] Cc: [email protected] Subject: Re: Outbound Connections > The [System] process (PID 4 on this Windows XP Pro Box) is making > strange outbound connections to unknown IP address spaces on one of our machines. > It tries to connect to port 139 and 445. Is there any way to figure > out what is causing the system process to do this? The connections do > not seem to be successful. The Packet trace shows the outbound SYS > and then nothing. Any help would be appreciated! > > > Thanks! I haven't actually tested this on a compromised system before, but it's worth a shot. 1) Get Process Explorer from www.sysinternals.com 2) Run Process Explorer. 3) Right click the System process and choose Properties. 4) On the TCP/IP tab, locate one of the strange outbound connections and then hit the Stack button. Hopefully whatever driver or dll opening the connections is listed on the thread stack. Then again, if it's clver the thing could be cloaking itself. In that case try Rootkit Revealer. Good luck, Ted ---------------------------------------------------------------------------- -- This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
