Re: Trojans that use LDAP

From: Patrick Patterson (ppatterson@carillonis.com)
Date: 01/15/02


From: Patrick Patterson <ppatterson@carillonis.com>
To: "Gary Porter" <gary.porter@matcomcorp.com>, "INCIDENTS" <INCIDENTS@securityfocus.com>
Date: Tue, 15 Jan 2002 16:11:00 -0500


-----BEGIN PGP SIGNED MESSAGE-----

Gary:

Hmmm interesting:

.ch is Switzerland
c3pki is the common domain name for several US DoD PKI projects....

A PKI Client that is trying to access a PKI at this address would be my guess
at this.... PKI's usually use LDAP to look up certificates and CRL's. I would
check the machine in question and find out if they are running any sort of
PKI software (another option, may be their Outlook or Netscape address book
somehow ended up configured to look at this address...)

Other than that, I would try and get a packet dump, and see if it looks at
all like LDAP Traffic (you should be able to make out cn=....,o=... or some
such in the traffic) - If it is, then this is probably benign, if not, then
worry. ;)

Pat.

On Tuesday 15 January 2002 09:57, Gary Porter wrote:
> Are there any Trojans that communicate using LDAP? A machine on our
> internal network is trying to connect to
> "email-ds-3.c3pki.ch" on destination Port 389? That port (blocked by the
> firewall) is ostensibly used for the Lightweight Directory Access Protocol,
> but I know nothing about this service and I've been unsuccessful (using Sam
> Spade) in locating any information about the destination address. Is this
> the sign of a compromise or something more benign?
>
> Gary R. Porter
> Program Manager, CITS Mobile Training
> MATCOM Corporation
> 757-838-0212 (w)
> 757-897-5830 (m)
> gary.porter@matcomcorp.com
>
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

- --

Patrick Patterson Tel: (514) 485-0789
Chief Security Architect Fax: (514) 485-4737
Carillon Information Security Inc. E-Mail: ppatterson@carillonIS.com
- -----------------------------------------------------------------------
                The New Sound of Network Security
                     http://www.carillonIS.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: Ch4IurVk1LEnKmao2RC8itGLpr7kiRan

iQCVAwUBPESa6bqc3sMKNyclAQEGIgQAi6s9ThiHth2yLemgPBlu+ZbM4Ku9Ecr1
uWFZrweZXzBe5pay4V0gKM/VFPZoD5I35DcxRCCq0g1w5ZBAXzseGdYb6bzbnVhU
6JpGJ97GMhBm+tUyc24qIZEImfZnlyzi524Xc0klxv830WuLVVM6VQwgCA1JCVTz
HT0WVes7+/0=
=r7k7
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Trojans that use LDAP
    ... normally designated for LDAP doesnt mean that this is LDAP traffic, ... >> Spade) in locating any information about the destination address. ... >> This list is provided by the SecurityFocus ARIS analyzer service. ... >> For more information on this free incident handling, management ...
    (Incidents)
  • Re: single-signon with X.509 certificates
    ... PKI is generally used for authentication and verifying the integrity ... The authorization is stored in the directory (LDAP) and ...
    (comp.security.unix)
  • Re: single-signon with X.509 certificates
    ... PKI is generally used for authentication and verifying the integrity ... The authorization is stored in the directory (LDAP) and ...
    (comp.security.misc)