Re: Weird UDP trafic

From: George Bakos (alpinistaat_private)
Date: Thu Jul 12 2001 - 17:07:58 PDT

  • Next message: Paul Dokas: "Recent IRC attacks"

    Try fport from:
    http://www.foundstone.com/rdlabs/tools.php?category=Forensic
    
    or sysinternals' tdimon.
    
    Nice paper on using fport at:
    http://www.sans.org/infosecFAQ/sysadmin/fport.htm
    
    gb
    
    On 10 Jul 2001, at 15:00, Jacques Exelrud wrote:
    
    > 	I'm using ZoneAlarm on a machine. Starting some days ago the alert log
    > started to show a UDP connection from my machine to my machine (denied by
    > ZoneAlamr)
    > 	The UDP port is 10000.
    
    <-------snip----------->
    
    > 
    > 	Some of the are known but other are, at least, suspicious.
    > 
    > 	Any sugestions on how to find who owns those ports ? ZoneAlarm does not
    > bother me with them so I suspect that who owns them is services.exe or other
    > Win200 program that have been allowed to act like a server.
    > 
    > 	Thanks in advance,
    > 	Jacques
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:20:21 PDT