[Dshield] Windows UDP Packet Sending Process

John.Schlichting at osf.ok.gov John.Schlichting at osf.ok.gov
Thu Jul 3 14:37:56 GMT 2008


  I agree with Chris.  In these cases I pull the drive, mount it RO, and
load up the Gargoyle hash set to look for any known malware.  If this is
unsuccessful, it can get pretty hairy from there, comparing hashed filesets
from the gozillions of Windows patched files to find the diffs.  If you
can, a  -X tcpdump could be useful.  Also, if you can share the dest ip, I
can run it through and see if I get any hits from my networks.

/john


list-bounces at lists.dshield.org wrote on 07/03/2008 03:08:58 AM:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mike Hale wrote:
> > Have you tried running something like ProcMon and FileMon?  They might
> > be of some help.
>
> TCPView, FileMon, ProcMon, ... -- been through the sysinternals tool
> kit. No help. But, thanks for the thought.
>


Lead, Support and Serve.

 The contents of this electronic message, including attachments, are
transmitted by the Office of State Finance, an Oklahoma government agency
according to the Uniform Electronic Transactions Act, 12A O.S. 15-101 et
seq.  This message is intended for use by the named addressee only and may
contain information that is confidential or private according to state or
federal laws.  If you have received this electronic message in error,
please notify the sender by a “reply to sender only” message, delete it
completely from your computer and maintain confidentiality of the message.
Any unauthorized disclosure, distribution, or use of the contents of this
message is prohibited and subjects the user to penalty of law.



More information about the list mailing list