Re: OT : Please Help Security Guys ! (Backdoor issue) from Charles.Henson_at_regions.com on 2010-04-26 (Ccielab archives 04/2010)

From: <Charles.Henson_at_regions.com>
Date: Mon, 26 Apr 2010 12:12:59 -0500

Bleh. I think I overthunk that one. My bad.

Charles Henson

|------------>
| From: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Andrey Tarasov <andyvt_at_gmail.com> |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Charles.Henson_at_regions.com |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Edouard Zorrilla <ezorrilla_at_tsf.com.pe>, ccielab_at_groupstudy.com, nobody_at_groupstudy.com, security_at_groupstudy.com |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
  |04/26/2010 12:10 PM |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Re: OT : Please Help Security Guys ! (Backdoor issue) |
>--------------------------------------------------------------------------------------------------------------------------------------------------|

Hi Edouard,

"netstat -ab" is your friend.

Regards,
Andrey.

> Hi,
>
> Here we are facing a issue with a backdoor that use https to send
> information
> from machines to the internnet (Turkey and Denmark- 78.189.194.126,
> 93.160.202.224 ). The issue is that we have clean this machines with all
> antivirus we know, but machines keep sending https traffic and we do not
> know
> how to get with the applicantion (backdoor) that sending information our
> information to Turkey and Denmark. These machines are already isolated.
>
> Do you know a windows tool so that I can get : which application is using
a
> specific destination protocol ?. I mean, WinMail.exe send to the internet
> pop3
> and smtp, now I need to know which application is sending https traffic
to
> Internet from these machines,
>
> Thanks a lot,
>
> Warm regards

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 26 2010 - 12:12:59 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART