[Pauldotcom] Strange Traffic
Michael Miller
mike.mikemiller at gmail.com
Wed Aug 25 22:48:44 UTC 2010
I have a fresh Windows VM that I use for testing. I'm not seeing any
traffic on UPD 500 going to google. Do you have any tool bars
installed on your browser? Do you have any google applications that
don't live in side the browser installed?
-mmiller
On Wed, Aug 25, 2010 at 2:34 PM, Craig Freyman <craigfreyman at gmail.com> wrote:
> Thanks BZ.
> I'm not sure what it is yet. All I know is the weird
> traffic immediately stops when the Gmail page is closed. Looking at the
> packet captures doesn't reveal anything to me.
>
> On Wed, Aug 25, 2010 at 2:53 PM, Bacon Zombie <baconzombie at gmail.com> wrote:
>>
>> Craig,
>>
>> You can either use Process Explorer or tasklist {via PSExec if on a Remote
>> System} :
>>
>> C:\>tasklist /svc /fi "imagename eq svchost.exe"
>>
>> BaconZombie
>>
>> ….all text in this mail is double-rot13 encrypted. ...
>>
>> On 25 August 2010 20:27, Craig Freyman <craigfreyman at gmail.com> wrote:
>>>
>>> A lot. Is there a utility like process explorer that can tell me the
>>> subprocesses of svchost and the port they're using?
>>>
>>> On Wed, Aug 25, 2010 at 12:09 PM, Bugbear <gbugbear at gmail.com> wrote:
>>>>
>>>> Also what is running under SVCHOST?
>>>>
>>>> On Wed, Aug 25, 2010 at 2:05 PM, Vincent Lape <vlape at me.com> wrote:
>>>> > Can you give a tcpdump of the traffic?
>>>> >
>>>> >
>>>> >
>>>> > On Aug 25, 2010, at 10:54 AM, Craig Freyman <craigfreyman at gmail.com>
>>>> > wrote:
>>>> >
>>>> > I'm trying to understand why a number of client computers are sending
>>>> > UDP
>>>> > 500 traffic to strange places. For example, from one machine it is
>>>> > sending
>>>> > traffic to 209.85.225.166 which is owned by Google. Netstat tells me
>>>> > that
>>>> > the traffic is originating from SVCHOST.
>>>> > I thought UDP 500 was used for IKE but is it also used for some sort
>>>> > of keep
>>>> > alive? I'm confused!
>>>> > Thanks,
>>>> > C
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Pauldotcom mailing list
>>>> > Pauldotcom at mail.pauldotcom.com
>>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> > Main Web Site: http://pauldotcom.com
>>>> >
>>>> > _______________________________________________
>>>> > Pauldotcom mailing list
>>>> > Pauldotcom at mail.pauldotcom.com
>>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> > Main Web Site: http://pauldotcom.com
>>>> >
>>>> _______________________________________________
>>>> Pauldotcom mailing list
>>>> Pauldotcom at mail.pauldotcom.com
>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> Main Web Site: http://pauldotcom.com
>>>
>>>
>>> _______________________________________________
>>> Pauldotcom mailing list
>>> Pauldotcom at mail.pauldotcom.com
>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>> Main Web Site: http://pauldotcom.com
>>
>>
>> _______________________________________________
>> Pauldotcom mailing list
>> Pauldotcom at mail.pauldotcom.com
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
More information about the Pauldotcom
mailing list