[Dshield] Anyone seen

Daugherty Bryan daugherty at uamont.edu
Tue Feb 24 17:17:01 GMT 2004


 

I started seeing ARP broadcast (from various IPs on my network) last week
using ethereal.

 

Example;

 

0000  ff ff ff ff ff ff 00 08                74 34 47 ae 08 06 00 01
........  t4g.....

0000  08 00 06 04 00 01 00 08    74 34 47 ae cc 7e 72 8a  ........  t4g~r.

0020  00 00 00 00 00 00 cc 7e    72 d1 00 00 00 00 00 00  .......~ r.......

0030  00 00 00 00 00 00 00 00    00 00 00 00                    .......
..... 

 

Packet Length: 60 bytes

 

Dest:  ff ff ff ff ff ff

Type: arp

Trailer:  0000000000000000000000000...

 

Yesterday I begain to see outbound traffic (using Packeteer) from these same
IP's using ports 135, 445 and 6129.

 

After inspection of the pc's involved I found sndman.exe running in task
manager (located in C:\windows\system32), multiple registry entries starting
the process, and an entry

in C:\windows\prefetch.  I can stop the process, remove the registry entries
and the prefetch entry and the outbound traffic halts and the ARP broadcasts
stop.  The problem is that this is 

occurring on fully patched pc's with the most current antivirus updates.  My
antivirus scans don't detect a thing.  

 

Anyone seen this.

 

Bryan




More information about the list mailing list