You could use FakeDNS and MailPot to maybe capture what happens after
the connection is created. here is the link to the tools. I haven't
used them, but I know they can be used for things like this.
http://labs.idefense.com/files/labs/.../previews/map/



On 2/1/07, Paul D. Robertson wrote:
> On Thu, 1 Feb 2007, Brian Loe wrote:
>
> > One of our support technician's machines is attempting to connect to
> > random IP addresses on port 25 - in a pretty needy fashion. He says
> > he's scanned the box with the latest updates from McAffee and it
> > hasn't found anything.
> >
> > We discovered it because one of my basic (meaning I got it off the
> > 'Net) rules for SEC flagged it as a possible PHEL trojan.
> >
> > Any thoughts?

>
> See what process keeps opening sockets?
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>



--
If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology.
Bruce Schneier
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards