Re: Compromised Win2000 machine.

From: H C (keydet89@yahoo.com)
Date: 05/29/02

• Previous message: Daniel Hay: "Re: Compromised Win2000 machine."
• Maybe in reply to: Daniel Hay: "Compromised Win2000 machine."
• Next in thread: Patrick Andry: "Re: Compromised Win2000 machine."
• Reply: Patrick Andry: "Re: Compromised Win2000 machine."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 29 May 2002 13:37:47 -0700 (PDT)
From: H C <keydet89@yahoo.com>
To: Mark Newby <mark@dranton.com>

Mark,

Since fport.exe isn't native to any MS system, you'd
have to get it from the 'net someplace. The thing to
do (and I do this in the IR course I teach) would be
to burn your tools to a CD. If you can't do that,
then you can put them on a diskette and write-protect
it.

HTH.

--- Mark Newby <mark@dranton.com> wrote:
> H C wrote:
> > [...]
> > Danny took the typical action seen of most
> > admins...port scanning the system from the
> outside,
> > and comparing the open ports to lists of known
> trojans
> > and services. This is inconclusive at best, and
> leads
> > to a lot of speculation and time-wasting. Better
> to
> > run fport on the system (if NT/2K...if the system
> is
> > XP, run netstat w/ the '-o' switch) instead, to
> see
> > the process to port mapping.
> > [...]
>
> ...but I thought the advice for a (possibly)
> compromised box was *not*
> to run executable programs that resided on that
> host, as they can't be
> trusted?
>
>
> mark
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Daniel Hay: "Re: Compromised Win2000 machine."
• Maybe in reply to: Daniel Hay: "Compromised Win2000 machine."
• Next in thread: Patrick Andry: "Re: Compromised Win2000 machine."
• Reply: Patrick Andry: "Re: Compromised Win2000 machine."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Compromised Win2000 machine. ... Running tools like fport, netstat, handle, listdlls, ... and comparing the open ports to lists of known trojans ... Do You Yahoo!? ... (Incidents) Re: Compromised Win2000 machine. ... >Danny took the typical action seen of most ... >and comparing the open ports to lists of known trojans ... This list is provided by the SecurityFocus ARIS analyzer service. ... (Incidents) Re: Compromised Win2000 machine. ... > and comparing the open ports to lists of known trojans ... This list is provided by the SecurityFocus ARIS analyzer service. ... (Incidents) Re: make money with pay pal ... My Yahoo! ... Message Boards Home - ... Make Money Online...As Seen on Oprah and 20/20! ... are the latest PayPal e-mails on the e-mail lists: ... (rec.music.artists.springsteen) Re: [Full-disclosure] researchers want slice of profit and vow pull out of mailing list disclosu ... vulnerability of yahoo' consultant is not deceived by the unmoderated ... The crackers of yahoo utilize a system of the decay, ... I ask him now, the author, re-publish its consultant. ... they to announce not information to lists to send of public, ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-05