RE: Think I've got trouble

From: wim.remes (wim.remes@skynet.be)
Date: 01/10/02


Date: Thu, 10 Jan 2002 08:57:12 +0100
From: "wim.remes" <wim.remes@skynet.be>
To: focus-ms <focus-ms@securityfocus.com>, Katherine Ogden <kogden@4cd.net>

Katherine,

I've found a page on the net that specifies the ports used by trojans
http://www.freewareposse.com/ports.html

As I would see it both servers may be infected by a trojan, but I'm not
an Exchange Whiz and exchange might be using these ports to do something
useful.

More on the Xtreme trojan may be found here:
http://www.glocksoft.com/trojan_list/Xtreme.htm

More on the BLA trojan may be found here:
http://www.glocksoft.com/trojan_list/BLA_trojan.htm

You might wanna download the free LANGUARD Network scanner from GFI Software:
http://www.gfi.com/languard/lantools.htm
It gives you a detailed view of all the hosts on your network (or the range
you put in), with OS, SP, Registry Settings, Known vulns (with a link to a
BUGTRAQ post or a MS advisory.

Good luck and let us know if it was false alarm or not ?

Cheers,

Wim
>===== Original Message From Katherine Ogden <kogden@4cd.net> =====
>We began having trouble with our exchange server.
>For no reason we could pin down the OWA would
>throw up an error and stop the www service. Being
>the slightly paranoid sort I downloaded Retina and ran
>it against the email server. It showed the usual things
>but it also showed
>Port 1058 - Nim
>Port 1090 - Xtreme
>
>Two other exchange servers show these ports open.
>Port 1042 - Bla
>Port 1059 - Nimreg
>
>Two questions. Does anybody know what these
>are? And am I right in assuming that these machines
>have been compromised and will need to be rebuilt?
>
>Thank you for the help.