Re: Compromized Windows NT machine?
From: Frank Knobbe (fknobbe@knobbeits.com)Date: 07/27/02
- Previous message: steveg: "Re: Anyone know this rootkit (rootkits?) (details and files attached)"
- In reply to: GabyHornik@lotus.iot.dtag.de: "Compromized Windows NT machine?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Frank Knobbe <fknobbe@knobbeits.com> To: GabyHornik@lotus.iot.dtag.de Date: 26 Jul 2002 23:01:31 -0500
Why don't you run fport.exe (downloadable from FoundStone) to find out
which applications are listening on these ports? That should tell you if
it's a normal executable or some 'strange new code'.
Regards,
Frank
On Fri, 2002-07-26 at 04:08, GabyHornik@lotus.iot.dtag.de wrote:
> Hello!
>
> Recently while looking over some firewall logs I encountered some strange
> traffic from a WinNT machine.
> Every 90 minutes it tries to connect to a bulk of machines to port 4665
> (normally eDonkey clients).
> That alone isn't strange at all, but there's coming a bulk of other ports
> with it, in detail
> udp/smtp
> udp/8004
> udp/8665
> udp/7665
> udp/4765
> udp/84
> udp/2004
> udp/6890
> udp/28014
> udp/6670
>
> udp/smtp is coming nearly every minute, the rest every 90 minutes.
>
> Has anybody seen this before or can anybody identify this as a trojan?
>
> Thanks, Gaby
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: steveg: "Re: Anyone know this rootkit (rootkits?) (details and files attached)"
- In reply to: GabyHornik@lotus.iot.dtag.de: "Compromized Windows NT machine?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
