Whatever I/P stack you are using, I would start pumping some MSN I/M
packets around on my small subnet for this kind of thing. Mirroring a port
will give you the data and you can analyze with your favorite sniffer. See
what happens as the needed ports come alive and then timeout. It might give
you a better picture.
Richard
-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of J.
Oquendo
Sent: Wednesday, March 28, 2007 2:25 PM
To: Firewall Wizards Security Mailing List
Cc: firewall-wizards@listserv.cybertrust.com
Subject: Re: [fw-wiz] OT? New compromise.
St John, Richard wrote:
>
> Once you determine there might be an issue, I think there used to be a
> program called openports which would run on the machine and relate any
> LISTENING or ESTABLISHED ports to the actual file that has the port
> open. This would then give you the service/process/program waiting for
> traffic on that port.
On Windows
/c:\netstat -an |find /i "listening"/
Why download when you can use existing tools...
Others...
#lsof|grep -i listen
#netstat -l|grep "*"
#netstat -a|grep -i listen (for Solaris ... at least 5.10)
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|