[Dshield] Netstat output from XP machine

Tom Geairn tgeairn at newviewconsulting.com
Wed Feb 4 19:40:06 GMT 2004


Additionally, there is the port 4446 traffic.  I've seen this before
with relays.  First guess is that this box is being used to relay
traffic from 216.52.240.10 to the 9420 boxes.

Try this:

1. Disconnect the machine physically from the 'net (unplug the Ethernet
cable)

2. Use Netstat -an and find what's still listening.  You can use netstat
-ano to map to a process id from task manager.  There are utilities out
there to make this easier.  It could be linked to a buried process, so
you may have to use a utility to find it.

I'm guessing that you will find something listening on 4446.  Let us
know what it is.

-Tom Geairn



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Rick Klinge
Sent: Wednesday, February 04, 2004 1:11 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Netstat output from XP machine

Wow.. That is interesting.. Maybe his computer is trojanized? And being
used
to connect to those remote computers via port 9420? .. Some trojans
won't
trigger antivirus software but a firewall should... Unless the
trojan/hacker
rendered it useless.

I personally don't know what port 9420 is looking at the randomness of
the
targets.. I'm suspecting compromised machines used to send spam.. Course
I
could be way off on this too.

Fwiw,

~Rick






More information about the list mailing list