RE: DDoS to microsoft sites

From: H C (keydet89@yahoo.com)
Date: 01/30/02 

Date: Wed, 30 Jan 2002 11:44:22 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: "Ad***, Matt" <Matt.Ad***@gsccca.org>, 'Bronek Kozicki' <brok@rubikon.pl>, Mike Lewinski <mike@rockynet.com>

Matt,

> > 7 Echo
> > 9 Discard

[list of ports truncated]

> > The client claims that they are not running
> Appletalk (548) but I'm not
> sure
> > whether to believe. We haven't been able to get
> console access to that
> > machine to do any further investigation (but have
> blocked it upstream). Of
> > the above services, most look legit from what I
> can tell with the
> exception
> > of 548 and 1025-1027
>
> Most probably your client has been rooted.

Based on a list of open ports derived from a port
scan, how can you say that?

Until some very basic information is collected from
the system...which the client can do
themselves...using fport, pslist, psservice, listdlls,
etc...there's really no way to tell what's going on.

Given that trojans are configureable, and also given
that some trojans use known ports, using lists of
trojans and a port scan isn't a very conclusive means
of investigating.

__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Quantcast