Re: [fw-wiz] OT? New compromise.



I guess what I was alluding to was that the two ports are KNOWN to be
used by two applications that are often targeted. MSN IM is a known
vector of being attacked as well as mounting an attack.

It didn't seem to me the OP was aware that that's what commonly used
those ports. For me, I would start looking at how many of the "virusey"
workstations were running IM clients (by default, on purpose, or
un-beknownst to the end-user), and go from there...that may quicken the
revealing of a rootkit or other malware. Likewise, start looking at
default junk that sets to start when the OS starts in the registry.

Fedora 4 loads more stuff than you think with the default
install...likewise, unless you specifically disallow it, there's all
kinds of crap that is turned on by default...one of them being root
being able to login directly over an SSH session. So, not really
puzzling to me why a Fedora box would be showing signs of being
compromised as well. I've seen it happen the same percentage as Windows
boxes.

Stian Øvrevåge wrote:

On 3/28/07, J. Oquendo <sil@xxxxxxxxxxxxxxx> wrote:


St John, Richard wrote:


Once you determine there might be an issue, I think there used to be a
program called openports which would run on the machine and relate any
LISTENING or ESTABLISHED ports to the actual file that has the port
open. This would then give you the service/process/program waiting for
traffic on that port.


On Windows
/c:\netstat -an |find /i "listening"/

Why download when you can use existing tools...




Ever heard of rootkits?

And I also think that even if port so and so is listed as belonging to
this and that innocent application is fairly irrelevant. I know for
sure if I wrote a virus/worm (if that's what it is) like this I'd pick
ports that would blend in. From what I understand a large anomaly is
what made Jim do some digging, statistics is a wonderful thing, and
I'm pretty certain that statistic anomalies like this is not
coincidental. The anomaly itself need not be caused by any party that
means harm. But the other signs (though vague) of foul play indicates,
imho, that it might well be.




_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] OT? New compromise.
    ... that had said ports opened along with the DLL file information, ... I'm sure older Forensics disks etc., have the tool ... That would be the correct way (blend in under ports), however, many ... I'm pretty certain that statistic anomalies like this is not ...
    (Firewall-Wizards)
  • Re: "Network" icon
    ... To close a number of ports, GRC suggests to use the Network icon and re-configure bindings to a certain indicted form. ... There seems to be no control of Server Types, no way to uncheck "i want to enable NetBIOS over TCP/IP" on any and all protocol lines, no way to install NetBEUI, and no way to change/set hardware adaptor bindings. ... 1- The information on the GRC page is severely out of date, it was written pre Windows 2000, it makes absolutely no mention at all of any operating systems post 1998. ...
    (microsoft.public.win2000.general)
  • Re: Strange ports open
    ... but both NetBIOS / Windows networking and Exchange open ... I recommend keeping a log of the ports found open ... Administration Tools [Server Manager, User Manager, Event Viewer, Registry ...
    (microsoft.public.security)
  • Re: New/old Trojan?
    ... > looking on google ... anything on Windows systems, ... Sounds like this malware may have rootkit-like ... ports can be useless. ...
    (Incidents)
  • Re: [fw-wiz] how prevelant
    ... over the same few ports), and the tendency of script kiddies to run ... Windows attack tools, I tend to suggest that if you open your firewall up ... > it amazing they were passing domain information across the internet. ...
    (Firewall-Wizards)