[Dshield] Windows UDP Packet Sending Process

ola banjo ola.banjo at gmail.com
Thu Jul 3 02:56:04 GMT 2008


My client currently has USB ports open as their default settings. What
controls can I put in place to mitigate this vulnerability order than a usb
device lock down? Can i use a window policy to disable plugging usb sticks
into the network? Any kind of control from a windows administration
perspective?

On Wed, Jul 2, 2008 at 7:27 PM, Jon Kibler <Jon.Kibler at aset.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I have a Windows XP/SP2 Pro box that sends out a single UDP packet every
> 2 to 7 minutes. Even running netstat in a continuous loop never sees the
> packet, so I have been having problems trying to find what process is
> sending the packet. Also, TCPView has been of no help.
>
> Whereas there is a good chance this box is rooted, and I would never be
> able to find the process originating the packet, for now, I want to
> presume it has not been compromised.
>
> (Why such an assumption? 1: The box would take over a man-week to
> rebuild and would require outside vendor support to do so. 2: The box
> owner has been known to load unauthorized software, and there is a good
> chance that is what we are dealing with. 3: Have run several
> anti-rootkit packages, and they have found nothing.)
>
> Question: Is there a 'netflow-like' tool that will run on XP at log
> every single flow originating from the box, including PID? If not, how
> would you go about finding the process sending packets?
>
> THANKS!
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkhsDsMACgkQUVxQRc85QlOFywCfYCAB6uGd3TbfpkAU/pOupuB2
> kCYAnjsTc3hbsbmqdUi7G1FyZ2O6VSTA
> =PL6y
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM <http://trustem.com/>'s Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
> _________________________________________
> SANSFIRE !! The Internet Storm Center Conference
> http://www.sans.org/sansfire08/
>


More information about the list mailing list