RE: SYN_SENT to port 8081Feb 27 2004 10:29PM tleroy (at) rochester.rr (dot) com [email concealed] (tleroy rochester rr com)
Everyone,
Thanks for the outstanding support! I received many responses to my
posting.
A registry search for the IP did not turn up anything.
fport only seems to be available for NT based OS's.
I found the problem with Process Explorer by Sysinterenals.com. It's
a great free Task Manager-like utility I found at SysInternals' site which
was recommended by Miroslaw Chorazy (Thanks Miroslaw!).
I saw an entry called WindowsUpd1.exe. I killed the process using
ProcessExplorer, did a netstat -a, and the strange entry was gone.
I did a google search for WindowsUpd1.exe and found that some scumware
called VirtuMonde was responsible. I followed the removal instructions and
appear to be running clean.
I'm surprised Spybot Search & Destroy didn't find it.
Original Message:
-----------------
From: Brian Glover brian (at) centurionservice (dot) com [email concealed]
Date: Fri, 27 Feb 2004 13:06:59 -0600
To: tleroy (at) rochester.rr (dot) com [email concealed], focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: SYN_SENT to port 8081
Ted-
You could narrow it down to the application utilizing the outgoing port
with Fport from Foundstone:
http://www.foundstone.com/resources/proddesc/fport.htm
Regards,
Brian Glover
-----Original Message-----
From: Ted LeRoy [mailto:tleroy (at) rochester.rr (dot) com [email concealed]]
Sent: Friday, February 27, 2004 11:23 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: SYN_SENT to port 8081
Hello,
I have a Windows 98 Second Edition machine that's consistently
sending SYN_SENT packets to 64.186.152.176:8081. I've run a full virus
scan, and run spybot search & destroy, but the transmission is still
happening. I have not done all Windows 98 updates yet, and am in the
process of doing so.
Below is a copy of the output from a netstat -a:
Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.
Google and Microsoft searches have yielded little. Does anyone out
there know of an attack that evades Spybot and CA Anti-Virus, and
exhibits the characteristics above?
Thanks for the outstanding support! I received many responses to my
posting.
A registry search for the IP did not turn up anything.
fport only seems to be available for NT based OS's.
I found the problem with Process Explorer by Sysinterenals.com. It's
a great free Task Manager-like utility I found at SysInternals' site which
was recommended by Miroslaw Chorazy (Thanks Miroslaw!).
I saw an entry called WindowsUpd1.exe. I killed the process using
ProcessExplorer, did a netstat -a, and the strange entry was gone.
I did a google search for WindowsUpd1.exe and found that some scumware
called VirtuMonde was responsible. I followed the removal instructions and
appear to be running clean.
I'm surprised Spybot Search & Destroy didn't find it.
Thanks To All!
Sincerely,
Ted LeRoy
MCSE(NT/2000),CCNA, A+
tleroy (at) rochester.rr (dot) com [email concealed]
Original Message:
-----------------
From: Brian Glover brian (at) centurionservice (dot) com [email concealed]
Date: Fri, 27 Feb 2004 13:06:59 -0600
To: tleroy (at) rochester.rr (dot) com [email concealed], focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: SYN_SENT to port 8081
Ted-
You could narrow it down to the application utilizing the outgoing port
with Fport from Foundstone:
http://www.foundstone.com/resources/proddesc/fport.htm
Regards,
Brian Glover
-----Original Message-----
From: Ted LeRoy [mailto:tleroy (at) rochester.rr (dot) com [email concealed]]
Sent: Friday, February 27, 2004 11:23 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: SYN_SENT to port 8081
Hello,
I have a Windows 98 Second Edition machine that's consistently
sending SYN_SENT packets to 64.186.152.176:8081. I've run a full virus
scan, and run spybot search & destroy, but the transmission is still
happening. I have not done all Windows 98 updates yet, and am in the
process of doing so.
Below is a copy of the output from a netstat -a:
Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.
C:\WINDOWS\Desktop>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP fns010:1032 FNS010:0 LISTENING
TCP fns010:42510 FNS010:0 LISTENING
TCP fns010:1026 FNS010:0 LISTENING
TCP fns010:1025 FNS010:0 LISTENING
TCP fns010:1025 ROCHBDC:nbsession ESTABLISHED
TCP fns010:1029 FNS010:0 LISTENING
TCP fns010:1032 64.186.152.176:8081 SYN_SENT
TCP fns010:42508 FNS010:0 LISTENING
TCP fns010:137 FNS010:0 LISTENING
TCP fns010:138 FNS010:0 LISTENING
TCP fns010:nbsession FNS010:0 LISTENING
UDP fns010:42508 *:*
UDP fns010:nbname *:*
UDP fns010:nbdatagram *:*
Google and Microsoft searches have yielded little. Does anyone out
there know of an attack that evades Spybot and CA Anti-Virus, and
exhibits the characteristics above?
Sincerely,
Ted LeRoy
MCSE(NT/2000), CCNA, A+
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]