[Dshield] Is there a legitimate service named doom?

Matt Shirilla mshirilla at micim.com
Thu Jun 23 18:23:53 GMT 2005


I do not think -o is supported in w2k server.  You might have to download TCPview from Sysinternals.

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Brenden Walker
Sent: Thursday, June 23, 2005 2:18 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Is there a legitimate service named doom?


> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of 
> securityguy at dslextreme.com
> Sent: Thursday, June 23, 2005 1:29 PM
> To: list at lists.dshield.org
> Subject: [Dshield] Is there a legitimate service named doom?
> 
> Troubleshooting a windows 2k server, a netstat showed a 
> protocol named "doom" listening on port 1035.  The latest 
> virus scans show no infection (symantec, mcafee stinger, and 
> trendmicro's housecall) all report clean. 
> There's been (so far as I can tell) no slow down in service, 
> increase in disk size, or anything out of the ordinary.  It 
> possible that this is a normal service as opposed to someone 
> running a game?  How would I track down what is spawning this service?

Start with netstat -o which will give you the PID of the process that
opened the service, find that in your task manager and then hunt down
the executable.  That'll probably tell you a lot right there.


_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list