Re: RE: How to find process behing TCP connection ?

["Colin Copley" <colin.75 () btinternet com>]

"Buozis, Martynas" <martynas () ti com> Wrote:

"How I can find real processes behind activity when "netstat -abvo" shows
that it is "System 4" process?"

Sygate Personal Firewall, unfortunately no longer supported had a couple of
interesting features, anti-application and dll authentication.  This would
tell yuu the executable or dll that had launched a process that wanted
access, and also provided a handy dump of the packet.  I'm sure most major
firewalls also provide this info, I hear Kerio is a handy, lightweight
alternative but haven't checked it out yet.  If you would like to try spf
mail me for the setup.exe.

However what I think it's going to show is whatever is the win2003 version
of kernel32.dll / ntosken.dll, ie "system" PID:4 and if that's the case and
it has been compromised to scan and attempt login's to the other machines on
the network, have you another server that is not showing this behavior, if
they're both at the same patch level, doing a binary diff on the dll's might
give you reason enough to take it offline and re-install.

Could you provide a packet dump of the suspect traffic? I'm sure someone on
the list will be able to figure out what's going on with enough info, or at
least confirm that this server needs nuked.

Regards
Colin


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------