Re: Out of my league.....
From: pordeus (pordeus_at_email.it)
Date: 01/09/04
- Previous message: Dani Wuck: "Re: Wierd non-http port 80 daemon?"
- Maybe in reply to: Jeff Johnson: "Out of my league....."
- Next in thread: Daniel Bruce Lynes: "Re: Out of my league....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 9 Jan 2004 19:41:42 +0100 To: "security-basics" <security-basics@securityfocus.com>
Someone is using the net send service, that uses net bios to find the user or the machine. Just this.
Be cool =)
Daniel Menezes
> Ports 139 and 445 are used for Microsoft netbios. Here is more info:
> http://grc.com/port_139.htm
> http://grc.com/port_445.htm
>
> -Paul Kurczaba
> ----- Original Message -----
> From: "Jeff Johnson"
> To:
> Sent: Wednesday, January 07, 2004 4:16 PM
> Subject: Out of my league.....
>
>
> > Hello. My ignorance will be vivid here....
> >
> > I'm currently doing marketing at a small office, but, as I'm technically
> > inclined enough to be dangerous, in my spare time do the IS support as
> well.
> > They had an outside consultant set up the system, and he had done other
> > setups/management when needed, but, is no longer available. He'd set up
> the
> > network with a Symantec VPN/Firewall appliance as the external gateway,
> but
> > had opened up ports to a server inside the network which is currently
> > hosting the email server (Xmail), DNS, as well as a simple web app to do
> > web-mail checking for employees from the outside. Also opened ports for
> > ssl, termserver, ftp, smtp, and pop3, and another port for remote admin.
> >
> > Looked a bit insecure for me when I noticed it, so, I installed ZoneAlarm
> on
> > this server inside the network, which is currently working. Plans are to
> > move the web serving onto another server which will be put into a DMZ.
> After
> > noticing these open ports, I also decided to pay more attention to the
> > firewall logs, and noticed not just the normal external port scan attack
> > blocks, but also that a couple of computers, including the company server,
> > are attempting to access outside IPs using closed port calls (therefore,
> the
> > firewall catches and logs them). These blocks come with the message Block
> > host "" internet access, and are typically using ports 139 & 445. Looked
> > suspicious, so, I ran an fport scan on the server, and it did show ports
> 139
> > & 445 open, but, shows that the Pid is 8 (the system).....Also did some
> > ethereal scan of the network, and it does show that the server is trying
> to
> > access this specific external ip address.
> >
> > My question is (kudos if you've patiently read everything so far), how do
> I
> > find out what this process is that is trying to do these accesses, or am I
> > being overly paranoid. As you can most likely tell from this, I'm not the
> > most technically adept IT support person, so, I'd also appreciate
> > references/suggestions on materials to help me out here.
> >
> > Thanks in advance to all.
> >
> > Jeff
> >
> >
> >
> > --------------------------------------------------------------------------
> -
> > Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
> > course! All of our class sizes are guaranteed to be 10 students or less.
> > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
> Prevention,
> > and many other technical hands on courses.
> > Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
> > any course!
> > --------------------------------------------------------------------------
> --
> >
> >
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
> course! All of our class sizes are guaranteed to be 10 students or less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
> any course!
> ----------------------------------------------------------------------------
>
Daniel Pordeus Menezes
Analista de Sistemas
Petrobras - cp37
-- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Le offerte migliori per il tuo giardino... vieni a scoprirle da Peraga! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1476&d=9-1 --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
- Previous message: Dani Wuck: "Re: Wierd non-http port 80 daemon?"
- Maybe in reply to: Jeff Johnson: "Out of my league....."
- Next in thread: Daniel Bruce Lynes: "Re: Out of my league....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
