Re: Compromized Windows NT machine?

From: dbroggy@manageworx.com
Date: 07/26/02

• Previous message: David Carmean: "Re: Bind 9.2.X exploit???"
• Maybe in reply to: GabyHornik@lotus.iot.dtag.de: "Compromized Windows NT machine?"
• Next in thread: Frank Knobbe: "Re: Compromized Windows NT machine?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 26 Jul 2002 11:55:41 -0500
From: dbroggy@manageworx.com
To: GabyHornik@lotus.iot.dtag.de

Is this an Exchange Server? I don't recall the port numbers but I
know they were all UDP and an expensive call to Microsoft came
back as 'this is normal'. In my case they came from the MTA and
there is no adjustment.

----- Original Message -----
From: GabyHornik@lotus.iot.dtag.de
Date: Friday, July 26, 2002 4:08 am
Subject: Compromized Windows NT machine?

> Hello!
>
> Recently while looking over some firewall logs I encountered some
> strangetraffic from a WinNT machine.
> Every 90 minutes it tries to connect to a bulk of machines to port
> 4665(normally eDonkey clients).
> That alone isn't strange at all, but there's coming a bulk of
> other ports
> with it, in detail
> udp/smtp
> udp/8004
> udp/8665
> udp/7665
> udp/4765
> udp/84
> udp/2004
> udp/6890
> udp/28014
> udp/6670
>
> udp/smtp is coming nearly every minute, the rest every 90
minutes.
>
> Has anybody seen this before or can anybody identify this as a
trojan?
>
> Thanks, Gaby
>
>
> -------------------------------------------------------------------
> ---------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: David Carmean: "Re: Bind 9.2.X exploit???"
• Maybe in reply to: GabyHornik@lotus.iot.dtag.de: "Compromized Windows NT machine?"
• Next in thread: Frank Knobbe: "Re: Compromized Windows NT machine?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Worm1800.exe on UnderNet? ... :!Notice!: A Recent Port Scan on your Computer reveals that Port 1800 ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Increased connects to Port 1433 ... Increased connects to Port 1433 ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: Port 6635 ... >We received a very fast scan for port 6635 last night. ... >For more information on this free incident handling, management ... >and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: possible ssh hack ... >> port 4207 ... >> analyzer service. ... >> and tracking system please see: ... (Incidents) Re: Subseven Scans ... scans" are you referring to the default port? ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-07