Re: [Full-Disclosure] Lots of traffic on port 1472 from explorer

[Giuseppe Milicia <[EMAIL PROTECTED]>]

Guys,

thanks a lot for the tips, indeed there was a KLP keylogger.

I removed it, but it seems that something else is amiss,
I still see lots of traffic from explorer.exe on the 1472 port.

> > from a home computer I'm seeing lots of traffic
> > generated from
> > explorer on port 1472 towards the microsoft-ds port,
> > typically
> > on IP addresses starting with 35.xx.xx.xx
>
> This isn't clear...is it coming from a system you have
> control of?  I'm going to assume that this is the
> case, since it seems you were able to run some kind of
> port to process mapping tool.

The traffic is indeed coming from a system I have control of,
I still have no dumps though. I can see nothing worrying apart
from the aforementioned keylogger which has now been removed

> > It looks like a worm but I could not find any
> > references around
> > and Trend Micro detects nothing.
>
> What makes you say that it looks like a worm?  What
> kind of activity are you seeing?  Do you have
> captures?

Lots of data is transferred from my computer to the outside world,
pretty much all to addresses in the 35.xx.xx.xx range on the
microsoft-ds port. Huge amount of short lived connections.
I thought it looked like worm activity but I might be wrong.

Thanks!

--
Giuseppe

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html