Re: [fw-wiz] OT? New compromise.




"=?ISO-8859-1?Q?Stian_=D8vrev=E5ge?=" <sovrevage@xxxxxxxxx> wrote:

[snip]

And I also think that even if port so and so is listed as belonging to
this and that innocent application is fairly irrelevant.

Indeed. When I see something trying to go out, the next thing I do is
approach the machine's user and ask them what they were trying to do at
such-and-such a time. They damn well better have been trying to do
what that port's legitimate usage reflects. Otherwise that machine
gets yanked off the network until the mystery is resolved.

I know for
sure if I wrote a virus/worm (if that's what it is) like this I'd pick
ports that would blend in.

Yup.

From what I understand a large anomaly is
what made Jim do some digging,

It's not me doing the digging. My only involvement was passing-along
something I'd seen on another mailing list to which I belong. The
information looked sufficiently intriguing that I thought the
firewall-wizards membership might likewise find it interesting, and may
even have additional information.

statistics is a wonderful thing, and
I'm pretty certain that statistic anomalies like this is not
coincidental. The anomaly itself need not be caused by any party that
means harm. But the other signs (though vague) of foul play indicates,
imho, that it might well be.

The people that *are* looking into it are sufficiently concerned such
that multiple entities, from a variety of areas, are looking into it.

Apparently this isn't ringing any bells for anybody here. So either
it's nothing at all or it really is something brand new that's just
being discovered.

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • tcp socks at close_wait for days without process
    ... specific port. ... I have watched a 2nd strange kernel behavior. ... crashed and no process belonging to this application was in process list ... But the listening socket alives for about 5 minutes although ...
    (Linux-Kernel)
  • Re: [fw-wiz] OT? New compromise.
    ... program called openports which would run on the machine and relate any ... LISTENING or ESTABLISHED ports to the actual file that has the port ... I'm pretty certain that statistic anomalies like this is not ...
    (Firewall-Wizards)