Robert, > What KIND of traffic are you seeing on these ports? It sounded to me (admittedly it's still unclear) as if the OP was saying that he's seeing probes. Now, again...at this point we have no real idea what that means...but it might be simple SYN packets that are getting dropped, as nothing is listening on those ports on the target machines. Some things we'll need to know include: 1. What flags are set on these packets? 2. Are they incoming as well as outbound, or just incoming? 3. Are they being stopped by a firewall? 4. Are the packets destined to specific machines? If so, does 'netstat' or 'fport' show anything running on those machines, using those ports. > Are they to one > particular system? If so, have you run any analysis > tools on it (i.e. > TDImon, or FileMon, etc...)? Good suggestions. I'd recommend pslist, listdlls, and fport, as the output of those tools goes to STDOUT and can be easily piped off of the box. FileMon and RegMon might not be necessary...it hasn't been shown yet that the packets are even reaching the target boxes. > Is there any kind of consistency to the packets? > Are they all TCP or is > there UDP as well? Is it at a certain time? What > kind of systems are you > seeing the activity on? OS? versions? Apps > involved (if identified)? All good questions. Just goes to show we need more folks out there who know how to do Incident Response. Carv __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 09:49:34 PST