[Dshield] unknown port

Rick Leske rick at jaray.net
Thu Jun 5 05:19:13 GMT 2003


I am running w2k pro... have the uninstalled the autoupdate by adding
AutoUpdate=ocgen.dll,OcEntry,au.inf,,7
to the sysoc.inf file then using add/remove windows components.  I have
set the background intellegence transfer to manual and disabled
the automatic updates several months ago.  'have confirmed' that these
settings are still in use.  Reviewing your synopsis I do agree that this
might be an microsoft program causing the download but why would it still
be trying to connect to this unknown ip?   Hung process?  guess it's time
to tlist it and see what causing it to auto connect.

Thanks for your response,

~Rick

----- Original Message ----- 
From: Erik Fichtner
To: General DShield Discussion List
Sent: Wednesday, June 04, 2003 11:16 PM
Subject: Re: [Dshield] unknown port


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jun 04, 2003 at 09:25:17PM -0500, Rick Leske wrote:
> Honestly I'm not using a web server.. here's a snip of the capture:
>
>  TCP 1420    64.124.82.21     10.1.58.122     80  3154  [2003.06.04 -
14:58:09.303]

> Content-Type: application/x-msdownload

> Server: Microsoft-IIS/6.0

You absolutely sure that isn't Windows XP's automagic
WindowsUpdate doodad downloading patches for you while you're
not looking?



- -- 
Erik Fichtner
Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE+3sQMQ7EzrewLMS0RAoNjAJwIVSF7a/XVYA/0wqRZmNCy8yZ2EACglj5c
mMjXZ2BNpYaoJOFth5EH5vQ=
=CV79
-----END PGP SIGNATURE-----

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list