subject: (Fwd) Re: Norton networking
posted: Sun, 26 Nov 2000 05:20:10 -0000
0100,0100,0100heads up: Norton Ghost silently connects to servers over the
internet; AntiVirus does wierd stuff
-------------------
7F00,0000,0000Lucida Console> I've recently seen a probe on port 38293
I am seeing this as well, between out NT 4.0
server and a few Win2000 Professional
workstations. A quick packet sniff shows the UDP
traffic has strings refering to the name of our
ArialNT server, as well as "NAV" so I guessed this is
Lucida ConsoleNorton AntiVirus Corporate Edition. We have the
NAV CE server running on our NT server.
The following thread from SANS confirms this:
0000,8000,0000http://www.sans.org/y2k/092300.htm
0100,0100,0100Arial------- Forwarded message follows -------
0000,0000,0000Date sent: 0000,0000,8000Mon, 20 Nov 2000 10:52:16 +00000000,0000,0000
Send reply to: 0000,0000,8000Mike Meredith <<[email protected]>0000,0000,0000
From: 0000,0000,8000Mike Meredith <<[email protected]>0000,0000,0000
Subject: 0000,0000,8000Re: UDP port 1345 (VPJP ??)0000,0000,0000
To: 0000,0000,8000[email protected]0000,0000,0000
-----BEGIN PGP SIGNED MESSAGE-----
Hi
On Thu, 16 Nov 2000, Peter Freeman wrote:
LUCIDA CONSOLEI had the same problem with my machine, I
tracked it
down to ngctw32.exe which was started from
runservice on my Win98 machine. Deleting that
registery key solved the problem, and it never
happened again.
7F00,0000,0000ARIAL> ngctw32.exe was installed with Norton Ghost, the
> properties of the exe describe it as Norton Gost Client
> Agent. If anyone can tell me what it was reporting to
> ip 229.55.150.208 and why, it would be nice.
LUCIDA CONSOLE> I have traffic from inside my network
(mutltiple
0000,0000,0000stations) to outside (229.55.150.208) UDP port
1345.
7F00,0000,0000> In every list i look this is called VPJP.
> Does anyone know what this is?
0000,0000,0000ARIALThat IP is a multicast netblock. In fact a traceroute from my
workstation doesn't reach anywhere.
I've spoken to our Ghost expert; although he isn't clear on the
issue,
he thinks the packet is a message along the lines of "I'm interested
in hearing about image called FRED". - --
[email protected]
http://www.iso.port.ac.uk/~mike Senior Informatics Officer
(Postmaster, Hostmaster, and security)
0100,0100,0100------- End of forwarded message -------
--- [adminz]
* Origin: alerts, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:58
search: