[Dshield] Netstat output from XP machine

Tom Geairn tgeairn at newviewconsulting.com
Wed Feb 4 19:40:06 GMT 2004

Additionally, there is the port 4446 traffic.  I've seen this before
with relays.  First guess is that this box is being used to relay
traffic from to the 9420 boxes.

Try this:

1. Disconnect the machine physically from the 'net (unplug the Ethernet

2. Use Netstat -an and find what's still listening.  You can use netstat
-ano to map to a process id from task manager.  There are utilities out
there to make this easier.  It could be linked to a buried process, so
you may have to use a utility to find it.

I'm guessing that you will find something listening on 4446.  Let us
know what it is.

-Tom Geairn

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Rick Klinge
Sent: Wednesday, February 04, 2004 1:11 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Netstat output from XP machine

Wow.. That is interesting.. Maybe his computer is trojanized? And being
to connect to those remote computers via port 9420? .. Some trojans
trigger antivirus software but a firewall should... Unless the
rendered it useless.

I personally don't know what port 9420 is looking at the randomness of
targets.. I'm suspecting compromised machines used to send spam.. Course
could be way off on this too.



More information about the list mailing list