Home > Archive > microsoft.public.cert.exams.mcse > June 2003 > xp attack





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author xp attack
nick

2003-06-29, 10:23 am

This is the infomation tracked for one attack(remember
that I didn't update the dll recently):
--------------------------------
A new DLL has been loaded by Generic Host Process for
Win32 Services. This could
happen if you have updated it recently. Do
you want to allow it to access the network?
==============================
=

#The new DLLs have been loaded:
C:\WINDOWS\PCHEALTH\HELPCTR\Bi
naries\pchsvc.dll

To disable DLL Authentication go to the security tab
under the Tools, Options menu.

File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : Generic Host Process for Win32
Services
File Path : C:\WINDOWS\system32\svchost
.exe
Process ID : 3C8 (Heximal) 968 (Decimal)

Connection origin : local initiated
Protocol : UDP
Local Address : 172.143.32.55
Local Port : 3086
Remote Name :
Remote Address : 239.255.255.250
Remote Port : 1900 (SSDP - Simple Service
Discovery Protocol)

Ethernet packet details:
Ethernet II (Packet Length: 175)
Destination: 04-00-20-00-04-00
Source: 00-00-04-00-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 1
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x28f2 (Correct)
Source: 172.143.32.55
Destination: 239.255.255.250
User Datagram Protocol
Source port: 3086
Destination port: 1900
Length: 8
Checksum: 0xaf88 (Correct)
Data (141 Bytes)

Binary dump of the packet:
0000: 04 00 20 00 04 00 00 00 : 04 00 00 00 08 00 45 00
| .. ...........E.
0010: 00 A1 0A 63 00 00 01 11 : F2 28 AC 8F 20 37 EF FF
| ...c.....(.. 7..
0020: FF FA 0C 0E 07 6C 00 8D : 88 AF 4D 2D 53 45 41 52
| .....l....M-SEAR
0030: 43 48 20 2A 20 48 54 54 : 50 2F 31 2E 31 0D 0A 48
| CH * HTTP/1.1..H
0040: 6F 73 74 3A 32 33 39 2E : 32 35 35 2E 32 35 35 2E
| ost:239.255.255.
0050: 32 35 30 3A 31 39 30 30 : 0D 0A 53 54 3A 75 72 6E
| 250:1900..ST:urn
0060: 3A 73 63 68 65 6D 61 73 : 2D 75 70 6E 70 2D 6F 72
| :schemas-upnp-or
0070: 67 3A 64 65 76 69 63 65 : 3A 49 6E 74 65 72 6E 65
| g:device:Interne
0080: 74 47 61 74 65 77 61 79 : 44 65 76 69 63 65 3A 31
| tGatewayDevice:1
0090: 0D 0A 4D 61 6E 3A 22 73 : 73 64 70 3A 64 69 73 63
| ..Man:"ssdp:disc
00A0: 6F 76 65 72 22 0D 0A 4D : 58 3A 33 0D 0A 0D 0A
| over"..MX:3....

>-----Original Message-----
>Recently my XP Pro PC got several attacks from
224.0.0.22
>(IGMP.MCAST.NET). One attack is to change %windows%
>\explorer.exe. Another one is to change %WINDOWS%
> \PCHEALTH\HELPCTR\Binaries\pch
*.dll files. Would anyone
>please tell me how should I deal with the issue? Is
>IGMP.MCAST.NET a well-known attack machine? Who owns
this
>machine?
>Thank you.
>Nick
>.
>
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net