Security Basics mailing list archives
Re: RE: How to find process behing TCP connection ?
From: "Colin Copley" <colin.75 () btinternet com>
Date: Thu, 5 Oct 2006 18:25:55 +0100
"Buozis, Martynas" <martynas () ti com> Wrote: "How I can find real processes behind activity when "netstat -abvo" shows that it is "System 4" process?" Sygate Personal Firewall, unfortunately no longer supported had a couple of interesting features, anti-application and dll authentication. This would tell yuu the executable or dll that had launched a process that wanted access, and also provided a handy dump of the packet. I'm sure most major firewalls also provide this info, I hear Kerio is a handy, lightweight alternative but haven't checked it out yet. If you would like to try spf mail me for the setup.exe. However what I think it's going to show is whatever is the win2003 version of kernel32.dll / ntosken.dll, ie "system" PID:4 and if that's the case and it has been compromised to scan and attempt login's to the other machines on the network, have you another server that is not showing this behavior, if they're both at the same patch level, doing a binary diff on the dll's might give you reason enough to take it offline and re-install. Could you provide a packet dump of the suspect traffic? I'm sure someone on the list will be able to figure out what's going on with enough info, or at least confirm that this server needs nuked. Regards Colin --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Oct 02)
- <Possible follow-ups>
- Re: RE: How to find process behing TCP connection ? deabimakgi (Oct 02)
- RE: RE: How to find process behing TCP connection ? Chesnutt, Lindsey P (Oct 03)
- RE: RE: How to find process behing TCP connection ? Buozis, Martynas (Oct 05)
- Re: RE: How to find process behing TCP connection ? Colin Copley (Oct 06)
- Re: RE: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Oct 06)
- RE: RE: How to find process behind TCP connection ? Robert D. Holtz - Lists (Oct 06)
- RE: RE: How to find process behing TCP connection ? Chesnutt, Lindsey P (Oct 03)