Re: maybe a simple problem

From: Igor D. Spivak (urbanachieverat_private)
Date: Wed Oct 02 2002 - 12:49:32 PDT

Next message: Brooke, O'neil (EXP): "RE: maybe a simple problem"

Previous message: John Sage: "UDP:137 source IP distribution"
In reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Brooke, O'neil (EXP): "RE: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

the way to track that is not trough netstat (is too dependent on chance),
but rather through a process/loaded dll list from an infected machine, being
compared to a similar list on a known good machine and all non-matching
entries researched.

now then http://www.sysinternals.com/win9x/98utilities.shtml this should
help you.
also, what does the telescope look like (just curious).


regards,


IDS


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brooke, O'neil (EXP): "RE: maybe a simple problem"
Previous message: John Sage: "UDP:137 source IP distribution"
In reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Brooke, O'neil (EXP): "RE: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 13:48:19 PDT