[Dshield] Windows UDP Packet Sending Process

Jon Kibler Jon.Kibler at aset.com
Wed Jul 2 23:27:00 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have a Windows XP/SP2 Pro box that sends out a single UDP packet every
2 to 7 minutes. Even running netstat in a continuous loop never sees the
packet, so I have been having problems trying to find what process is
sending the packet. Also, TCPView has been of no help.

Whereas there is a good chance this box is rooted, and I would never be
able to find the process originating the packet, for now, I want to
presume it has not been compromised.

(Why such an assumption? 1: The box would take over a man-week to
rebuild and would require outside vendor support to do so. 2: The box
owner has been known to load unauthorized software, and there is a good
chance that is what we are dealing with. 3: Have run several
anti-rootkit packages, and they have found nothing.)

Question: Is there a 'netflow-like' tool that will run on XP at log
every single flow originating from the box, including PID? If not, how
would you go about finding the process sending packets?

THANKS!
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhsDsMACgkQUVxQRc85QlOFywCfYCAB6uGd3TbfpkAU/pOupuB2
kCYAnjsTc3hbsbmqdUi7G1FyZ2O6VSTA
=PL6y
-----END PGP SIGNATURE-----




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list