[Dshield] PC exhibiting weird behavior

Walzer, Jeff Jeff.Walzer at dcsg.com
Mon Dec 5 14:17:48 GMT 2005

First, thanks to all who have replied as I appreciate it. Some points
listed below:

1) By 'random' I mean that the IP addresses it attempts to contact - it
picks random IPs on the 10.4.x.x network, which my firewall drops
2) I have the latest DAT files for McAfee AV
3) I have used FPORT and I haven't seen anything yet - problem is that
the traffic comes in bursts - I could write a script that does fport
every 10 seconds and hope that the next time this traffic occurs the
FPORT script picks it up
4) There are a bunch of these PCs at various locations and this PC is
the only one that's been flagged for this type of traffic. I haven't had
any other issues with any other of the PCs
5) I do have to patch the PC with the latest W2K SP
6) These PCs really shouldn't need to interact with anything else as
they perform one function which is local to whatever location they're at
7) I did run Rootkit Revealer and that turned up clean as well


-----Original Message-----
From: David Taylor [mailto:ltr at isc.upenn.edu] 
Sent: Saturday, December 03, 2005 11:14 AM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] PC exhibiting weird behavior

Just to clarify.  You are seeing traffic from 'your' port 135 and 445?
If that is the case it is likely someone else is scanning your system
and doesn't necessarily mean your computer is infected.

David Taylor //Sr. Information Security Specialist University of
Pennsylvania Information Security Philadelphia PA USA
(215) 898-1236

SANS - The Twenty Most Critical Internet Security Vulnerabilities

SANS - Internet Storm Center

irc.freenode.net #dshield

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]
On Behalf Of Walzer, Jeff
Sent: Friday, December 02, 2005 4:19 PM
To: list at lists.dshield.org
Subject: [Dshield] PC exhibiting weird behavior

I have a W2K PC that I see sending occasional traffic to random IP
addresses from ports 135 and 445. I have done a complete virus scan and
it's clean, but I'm unable to figure out why it's trying to send from
ports 135 and 445 to random IP address. Any ideas as to what to do next?
Using .Net? Need to know more about .Net Security?

send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:

More information about the list mailing list