[Dshield] Windows UDP Packet Sending Process
eyeronic.design at gmail.com
Thu Jul 3 00:00:14 GMT 2008
Have you tried running something like ProcMon and FileMon? They might
be of some help.
On Wed, Jul 2, 2008 at 4:27 PM, Jon Kibler <Jon.Kibler at aset.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I have a Windows XP/SP2 Pro box that sends out a single UDP packet every
> 2 to 7 minutes. Even running netstat in a continuous loop never sees the
> packet, so I have been having problems trying to find what process is
> sending the packet. Also, TCPView has been of no help.
> Whereas there is a good chance this box is rooted, and I would never be
> able to find the process originating the packet, for now, I want to
> presume it has not been compromised.
> (Why such an assumption? 1: The box would take over a man-week to
> rebuild and would require outside vendor support to do so. 2: The box
> owner has been known to load unauthorized software, and there is a good
> chance that is what we are dealing with. 3: Have run several
> anti-rootkit packages, and they have found nothing.)
> Question: Is there a 'netflow-like' tool that will run on XP at log
> every single flow originating from the box, including PID? If not, how
> would you go about finding the process sending packets?
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> Filtered by: TRUSTEM.COM's Email Filtering Service
> No Spam. No Viruses. Just Good Clean Email.
> SANSFIRE !! The Internet Storm Center Conference
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
More information about the list