[Dshield] PC exhibiting weird behavior

Brian P. Donohue zbd at u.washington.edu
Sat Dec 3 23:55:43 GMT 2005


I agree with David.  It also suggests that you're not running a firewall on
the host, because then you'd see the traffic blocked in firewall logs,
rather than seeing your system responding to unwelcome traffic.  I work in
an educational institution where host-based firewalls are the first line of
defense.  I've seen hundreds of compromises over the last couple of years.
You don't want to put a computer on any network without a host-based
firewall.  Perimeter firewalls only cut down the "background radiation" of
the Internet.  You've got your neighbors inside the perimeter to worry about
as well.

You shouldn't trust anti-virus or stinger scans too much.  There are
thousands of variations that they don't detect, and there are a lot of
different kinds of compromises that aren't virus-related.  This has been
true for a couple of years now.  Many of them are rootkits, meaning they
hide themselves from the Windows GUI.  

The problem that I haven't seen hackers solve yet is hiding the way their
processes start up at boot time.  They're getting a lot better at putting
their startup processes in obscure places, or using names that closely
resemble valid system processes, but if it's hidden from Windows at boot
time, it won't start.

For this reason, I run a component of Spybot S&D called TeaTimer.  It
detects attempts to modify registry and file system locations related to
system startup, and prompts for permission to make the change.

To find rootkits and other malware, I use tools from sysinternals.com.  In
particular, Rootkit Revealer, Autoruns, and Tcpview (there are command line
equivalents too).  I suggest that you grab copies of these and run them.
You do need to know what is supposed to be running on your system to
understand their output.

====================================================

Brian P. Donohue, Security Engineer
UW Medicine Information Technology Services (ITS)

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David Taylor
Sent: Saturday, December 03, 2005 08:14
To: 'General DShield Discussion List'
Subject: Re: [Dshield] PC exhibiting weird behavior

Just to clarify.  You are seeing traffic from 'your' port 135 and 445? If
that is the case it is likely someone else is scanning your system and
doesn't necessarily mean your computer is infected.


==================================================
David Taylor //Sr. Information Security Specialist University of
Pennsylvania Information Security Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshield
http://freenode.net/



-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Walzer, Jeff
Sent: Friday, December 02, 2005 4:19 PM
To: list at lists.dshield.org
Subject: [Dshield] PC exhibiting weird behavior


I have a W2K PC that I see sending occasional traffic to random IP addresses
from ports 135 and 445. I have done a complete virus scan and it's clean,
but I'm unable to figure out why it's trying to send from ports 135 and 445
to random IP address. Any ideas as to what to do next?
 
Thanks...
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list