[Dshield] Anyone seen

TRushing@hollandco.com TRushing at hollandco.com
Wed Feb 25 20:57:23 GMT 2004


Google turns up very little on sndman.exe.  However, it appears that it 
may be RealTek Sound Manager.

Something to check on those PC's.  As to why that would be generating the 
traffic you originally described, I have no clue.

         ---Tim Rushing

list-bounces at dshield.org wrote on 02/25/2004 01:26:25 PM:

> Thanks Jon,
> 
> 
> 
> We do indeed have some hubs.  Just a few, but a few too many! 
> 
> 
> 
> Here is my real concern.
> 
> 
> 
> Original post:
> 
> Yesterday I began to see outbound traffic (using Packeteer) from these 
same
> IP's using ports 135, 445 and 6129.
> 
> 
> 
> After inspection of the pc's involved I found sndman.exe running in task
> manager (located in C:\windows\system32), 
> 
> multiple registry entries starting the process, and an entry in
> C:\windows\prefetch.  I can stop the process, 
> 
> remove the registry entries and the prefetch entry and the outbound 
traffic
> halts and the ARP broadcasts stop. 
> 
> The problem is that this is occurring on fully patched pc's with the 
most
> current antivirus updates.  My 
> 
> antivirus scans don't detect a thing. 
> 
> 
> 
> I have sent this to my Anti-virus company and have not heard back.  I 
have
> never seen this pattern of traffic from
> 
> pc's.
> 
> 
> 
> 
> 
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On 
Behalf Of
> Jon R. Kibler
> Sent: Tuesday, February 24, 2004 5:00 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Anyone seen
> 
> 
> 
> Daugherty Bryan wrote:
> 
> > 
> 
> > 
> 
> > 
> 
> > I started seeing ARP broadcast (from various IPs on my network) last 
week
> 
> > using ethereal.
> 
> > 
> 
> 
> 
> ARP packets (and RARP packets) can only occur on your local Ethernet LAN
> segment. They are not routable on the Internet. 
> 
> 
> 
> To communicate on Ethernet, systems do not actually directly use the IP
> address of the destination system. Rather, they use the 48-bit Media 
Access
> Control (MAC) address to determine the destination (with the destination
> being an individual port on a NIC). ARP and RARP packets serve to 
translate
> between IP and MAC addresses. An ARP request says "I need to know the 
MAC
> address for IP x.x.x.x." and an RARP request says "My MAC address is
> xx:xx:xx:xx:xx:xx -- who knows what my IP address should be?".
> 
> 
> 
> In the for-what-it-is-worth category, the BOOTP (Boot Protocol -- used 
for
> remote booting) is a superset of RARP, and the DHCP protocol is a 
superset of
> RARP but a subset of BOOTP.
> 
> 
> 
> So, bottom line, ARP packets just indicate that a system is wanting to
> communicate with another system on your LAN with whom the ARP-ing system 
has
> not previously communicated (or, at least not within the lifetime of its 
ARP
> cache).
> 
> 
> 
> Also, the fact that you are seeing a lot of ARP packets is a MAJOR RED 
FLAG
> of another problem -- you are using shared Ethernet -- which is a MAJOR
> security risk. You really should replace all of your hubs with switches 
--
> or, at least in the future, only buy switches. 
> 
> 
> 
> With a switch, the only traffic a given port can see is traffic 
specifically
> to that port. That means that you can only see traffic to the IP 
address(es)
> of that port, Multicast traffic, and Broadcast traffic. No more snooping 
on
> everything else that occurs on the network!
> 
> 
> 
> Hope this helps!
> 
> -- 
> 
> Jon R. Kibler
> 
> Chief Technical Officer
> 
> A.S.E.T., Inc.
> 
> Charleston, SC  USA
> 
> (843) 849-8214
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ==================================================
> 
> Filtered by: TRUSTEM.COM's Email Filtering Service
> 
> http://www.trustem.com/
> 
> No Spam. No Viruses. Just Good Clean Email.
> 
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http:
> //www.dshield.org/mailman/listinfo/list
> 
> 




More information about the list mailing list