[Dshield] Odd dhcp Chatter Activity

Kevin Ottalini ottalini at mindspring.com
Thu Apr 22 08:36:52 GMT 2004


I have a notebook comp with XP Home I use as a sacrificial goat and for testing that scans totally clean right now but has something undetectable going on, perhaps a trojan or perhaps something damaged.

I located the problem when I noticed that there was some sort of ongoing network activity when Ethernet was plugged in but it's totally quiet when the link is unplugged or disabled.

I see activity on both tdimon and regmon
TDIMON: http://home.covad.net/~qsesteam2/tmp/explore_dhcp_chatter_tdimon.LOG
that "Explorer.EXE:144" is very odd since the actual PID for Explorer.EXE is 1444

REGMON: http://home.covad.net/~qsesteam2/tmp/explore_dhcp_chatter_regmon.LOG

both just sit there and cycle over and over.  No other XP Home or Pro system I have does this and I have a second XP Home system set up almost identically.

The closest similar problem I could locate was this:
http://members.ams.chello.nl/s.pechler/Backdoor_stealth_proxy_server.htm

I'm not saying it's that backdoor but the sequence described there is very similar.

I've run virtually every  spyware, virus and trojan detection program on that system and it reports clean on all.

I also have a spyware/trojan help FAQ page that I'm working on, if I've missed anything useful or have something offensive on the page I would appreciate any feedback:
http://steampowered.com/forums/showthread.php?s=a30b00fb6899a3b214ee8ca21add7936&threadid=76462

Any thoughts or comments much appreciated!

Kevin Ottalini
qUiCkSiLvEr



More information about the list mailing list