win2k seems to use the 10XX range of ports as a rpc endpoint (ncacn/http
type I believe). It depends on what is behind those ports. They are not
commonly used for trojans but that isn't anything too special.

try using a utility that will show you what service or program has the ports
open, like fport from foundstone (free).
http://rr.sans.org/sysadmin/fport.php --tutorial/description
http://www.foundstone.com/rdlabs/proddesc/fport.html --download

Are your servers firewalled (coming in?/going out?)? what does your event
log say about w3svc stopping?

-----Original Message-----
From: Katherine Ogden [mailto:kogden4cd.net]
Sent: Wednesday, January 09, 2002 9:21 AM
To: focus-mssecurityfocus.com
Subject: Think I've got trouble

We began having trouble with our exchange server.
For no reason we could pin down the OWA would
throw up an error and stop the www service. Being
the slightly paranoid sort I downloaded Retina and ran
it against the email server. It showed the usual things
but it also showed
Port 1058 - Nim
Port 1090 - Xtreme

Two other exchange servers show these ports open.
Port 1042 - Bla
Port 1059 - Nimreg

Two questions. Does anybody know what these
are? And am I right in assuming that these machines
have been compromised and will need to be rebuilt?

Thank you for the help.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]