Incidents
Tracking down random ICMP Jan 22 2007 01:19PM
Craig Chamberlain (craig chamberlain Q1Labs com) (3 replies)
Re: Tracking down random ICMP Feb 02 2007 11:25PM
Frank Knobbe (frank knobbe us)
Re: Tracking down random ICMP Jan 23 2007 03:32PM
Valdis Kletnieks vt edu (2 replies)
Re: Tracking down random ICMP Jan 25 2007 12:13PM
Javier Fernández-Sanguino (jfernandez germinus com) (1 replies)
Re: Tracking down random ICMP Jan 25 2007 05:20PM
Valdis Kletnieks vt edu (2 replies)
DoS attacks using ports 31800, 31900 ? Feb 02 2007 06:27PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: DoS attacks using ports 31800, 31900 ? Feb 06 2007 03:36PM
Deapesh Misra (deapesh gmail com)
Attempted FTP intrusion Jan 31 2007 05:43PM
David Gillett (gillettdavid fhda edu) (1 replies)
Re: Attempted FTP intrusion Jan 31 2007 10:09PM
Tillmann Werner (tillmann werner gmx de)
Re: Tracking down random ICMP Jan 23 2007 09:37PM
Jose Nazario (jose monkey org) (1 replies)
Re: Tracking down random ICMP Jan 24 2007 01:05AM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: Tracking down random ICMP Feb 09 2007 12:17AM
Jean-Baptiste Marchand (jbm lists gmail com)
On Wed, Jan 24, 2007 at 02:05:55PM +1300, Bojan Zdrnja wrote:

> So, in other words, for the original poster: use ListDLLs
> (http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ListD
lls.mspx)
> which will list all processes and show you DLLs that each of them is
> using. Then go through that list and eliminate all processes that are
> not using Iphlpapi.dll. Now you will have a list of processes that
> need to be examined further.

Even simpler, provided the Windows system is running at least Windows
XP, you can use the tasklist program with the /m option to directly find
out all the processes that have Iphlpapi.dll loaded.

Because Iphlpapi.dll is a DLL that contains common network functions,
tasklist will certainly list several processes with the DLL loaded.

You can then try to suspend one by one each process with PsSuspend from
Sysinternals and see if the ICMP activity stops or not.

If the system is receiving ICMP packets in response to the sent traffic
and if the Windows firewall is configured to log dropped traffic, you
can easily verify if suspending a process stops the ICMP traffic by
"tailing" Pfirewall.log or looking at the file size.

Both tasklist and PsSuspend work on remote systems (MSRPC over SMB is
used in that case, requires 139/tcp or 445/tcp to the remote system),
provided you have administrator credentials. Typically, you would first
establish an SMB session with net use using administrator credentials.

Jean-Baptiste Marchand

[ reply ]
Re: Tracking down random ICMP Jan 23 2007 03:50AM
Kyle Maxwell (krmaxwell gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus