|
Incidents
Tracking down random ICMP Jan 22 2007 01:19PM Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies) Re: Tracking down random ICMP Jan 23 2007 03:32PM Valdis Kletnieks vt edu (2 replies) Re: Tracking down random ICMP Jan 25 2007 12:13PM Javier Fernández-Sanguino (jfernandez germinus com) (1 replies) Re: Tracking down random ICMP Jan 25 2007 05:20PM Valdis Kletnieks vt edu (2 replies) DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM David Gillett (gillettdavid fhda edu) (1 replies) |
|
|
Privacy Statement |
> So, in other words, for the original poster: use ListDLLs
> (http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ListD
lls.mspx)
> which will list all processes and show you DLLs that each of them is
> using. Then go through that list and eliminate all processes that are
> not using Iphlpapi.dll. Now you will have a list of processes that
> need to be examined further.
Even simpler, provided the Windows system is running at least Windows
XP, you can use the tasklist program with the /m option to directly find
out all the processes that have Iphlpapi.dll loaded.
Because Iphlpapi.dll is a DLL that contains common network functions,
tasklist will certainly list several processes with the DLL loaded.
You can then try to suspend one by one each process with PsSuspend from
Sysinternals and see if the ICMP activity stops or not.
If the system is receiving ICMP packets in response to the sent traffic
and if the Windows firewall is configured to log dropped traffic, you
can easily verify if suspending a process stops the ICMP traffic by
"tailing" Pfirewall.log or looking at the file size.
Both tasklist and PsSuspend work on remote systems (MSRPC over SMB is
used in that case, requires 139/tcp or 445/tcp to the remote system),
provided you have administrator credentials. Typically, you would first
establish an SMB session with net use using administrator credentials.
Jean-Baptiste Marchand
[ reply ]