RE: Think I've got trouble

From: wim.remes (wim.remes@skynet.be)
Date: 01/10/02


Date: Thu, 10 Jan 2002 08:57:12 +0100
From: "wim.remes" <wim.remes@skynet.be>
To: focus-ms <focus-ms@securityfocus.com>, Katherine Ogden <kogden@4cd.net>

Katherine,

I've found a page on the net that specifies the ports used by trojans
http://www.freewareposse.com/ports.html

As I would see it both servers may be infected by a trojan, but I'm not
an Exchange Whiz and exchange might be using these ports to do something
useful.

More on the Xtreme trojan may be found here:
http://www.glocksoft.com/trojan_list/Xtreme.htm

More on the BLA trojan may be found here:
http://www.glocksoft.com/trojan_list/BLA_trojan.htm

You might wanna download the free LANGUARD Network scanner from GFI Software:
http://www.gfi.com/languard/lantools.htm
It gives you a detailed view of all the hosts on your network (or the range
you put in), with OS, SP, Registry Settings, Known vulns (with a link to a
BUGTRAQ post or a MS advisory.

Good luck and let us know if it was false alarm or not ?

Cheers,

Wim
>===== Original Message From Katherine Ogden <kogden@4cd.net> =====
>We began having trouble with our exchange server.
>For no reason we could pin down the OWA would
>throw up an error and stop the www service. Being
>the slightly paranoid sort I downloaded Retina and ran
>it against the email server. It showed the usual things
>but it also showed
>Port 1058 - Nim
>Port 1090 - Xtreme
>
>Two other exchange servers show these ports open.
>Port 1042 - Bla
>Port 1059 - Nimreg
>
>Two questions. Does anybody know what these
>are? And am I right in assuming that these machines
>have been compromised and will need to be rebuilt?
>
>Thank you for the help.



Relevant Pages

  • Re: [opensuse] Remote upgrade problem
    ... All my remote sites have serial console servers connected. ... CCM840 8 port, dedicated local console ...
    (SuSE)
  • Re: Blocking attacks from spoofed IP addresses
    ... cause a _Self_ Denial Of Service attack. ... Defeating Denial of Service Attacks ... of our DMZ servers, and had source IPs from our public DNS servers. ... Web services are on your port 80 and/or 443, ...
    (comp.os.linux.networking)
  • panic: page fault - 6.0-RELEASE-p7
    ... While we thought we had done enough testing, apparently we hadn't and are now experiencing panic's on a number of the servers. ... ppc0: parallel port not found. ... unknown: can't assign resources (memory) ...
    (freebsd-questions)
  • Re: panic: page fault - 6.0-RELEASE-p7 (now 6.1-RC2)
    ... While we thought we had done enough testing, apparently we hadn't and are now experiencing panic's on a number of the servers. ... It has shown that information before, and it has always been tcpserver from the ucspi-tcp-0.88_2 port. ... unknown: can't assign resources (memory) ...
    (freebsd-questions)
  • Is FreeBSD ready for desktop (Mozilla Flash)
    ... monitor,, somehow the install fails to detect ... "Macromedia Flash plugin is not available for FreeBSD. ... I quote again "Install the www/linuxpluginwrapper port. ... servers, ...
    (comp.unix.bsd.freebsd.misc)