[Dshield] Windoze Questions...SAMBA + Windows AD Question

David Vincent david.vincent at mightyoaks.com
Tue Feb 24 20:55:39 GMT 2004

edited for brevity...

> > 'sounds like you're either infected with viri or you're 0wned.'
> > 
> > I'm sorry, where did he say anything like that ?
> > I think laurie is just pre-paranoid ... 
> > 
> > Cable modem lights can light up, if you are being scanned from
> > outside ...  Doesn't mean you're owned !
> /* snip */
> ...here's 24 seconds of cable modem chatter, *not* including anything
> actually directed to me:
> /* snip */
> All this is "lighting up the lights"...

Yup.  Sure will, modem manufacturer depending.  My Terayon Cable modem is
not lit all the time, but a few seconds of packet capture shows there is
still a lot of traffic hitting my IP, like your above example.  

Also, let's not cloud the issue, that statement could be interpreted as "you
can ignore the lights on your modem, I'm surprised they aren't lit up all
the time, and disk activity is normal too."

Laurie didn't exactly give us a lot to go on.

a)  Paranoia is not a bad thing when you use it to your advantage, Laurie is
right to be suspicious of lots of disk activity and perceived network
traffic when "no one is on the system"

b)  I pointed to a tool which would allow Laurie to see the actual
connections being made to the server, which should immediately show if there
is a problem.  (Assuming the system isn't compromised in some way to hide
traffic from a sophisticated attacker)

c)  TCPView will of course also show you if no one is connected to the
system.  If you find you've only got connections to internal hosts or hosts
which you would expect, you're probably ok but would benefit from some extra
digging just in case (checking out the clients that are connected esp. if no
one is logged on to those systems, also assuming you have the time for this)

d)  Laurie is obviously worried about some hacker or malware since being
locked out of the Win2000 IDS Box and getting the 'The Administrator has
access to this computer' message.


More information about the list mailing list