RE: Think I've got trouble

From: wim.remes (
Date: 01/10/02

Date: Thu, 10 Jan 2002 08:57:12 +0100
From: "wim.remes" <>
To: focus-ms <>, Katherine Ogden <>


I've found a page on the net that specifies the ports used by trojans

As I would see it both servers may be infected by a trojan, but I'm not
an Exchange Whiz and exchange might be using these ports to do something

More on the Xtreme trojan may be found here:

More on the BLA trojan may be found here:

You might wanna download the free LANGUARD Network scanner from GFI Software:
It gives you a detailed view of all the hosts on your network (or the range
you put in), with OS, SP, Registry Settings, Known vulns (with a link to a
BUGTRAQ post or a MS advisory.

Good luck and let us know if it was false alarm or not ?


>===== Original Message From Katherine Ogden <> =====
>We began having trouble with our exchange server.
>For no reason we could pin down the OWA would
>throw up an error and stop the www service. Being
>the slightly paranoid sort I downloaded Retina and ran
>it against the email server. It showed the usual things
>but it also showed
>Port 1058 - Nim
>Port 1090 - Xtreme
>Two other exchange servers show these ports open.
>Port 1042 - Bla
>Port 1059 - Nimreg
>Two questions. Does anybody know what these
>are? And am I right in assuming that these machines
>have been compromised and will need to be rebuilt?
>Thank you for the help.