|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: wim.remes (wim.remes
skynet.be)Date: Thu Jan 10 2002 - 01:57:12 CST
Katherine,
I've found a page on the net that specifies the ports used by trojans
http://www.freewareposse.com/ports.html
As I would see it both servers may be infected by a trojan, but I'm not
an Exchange Whiz and exchange might be using these ports to do something
useful.
More on the Xtreme trojan may be found here:
http://www.glocksoft.com/trojan_list/Xtreme.htm
More on the BLA trojan may be found here:
http://www.glocksoft.com/trojan_list/BLA_trojan.htm
You might wanna download the free LANGUARD Network scanner from GFI Software:
http://www.gfi.com/languard/lantools.htm
It gives you a detailed view of all the hosts on your network (or the range
you put in), with OS, SP, Registry Settings, Known vulns (with a link to a
BUGTRAQ post or a MS advisory.
Good luck and let us know if it was false alarm or not ?
Cheers,
Wim
>===== Original Message From Katherine Ogden <kogden4cd.net> =====
>We began having trouble with our exchange server.
>For no reason we could pin down the OWA would
>throw up an error and stop the www service. Being
>the slightly paranoid sort I downloaded Retina and ran
>it against the email server. It showed the usual things
>but it also showed
>Port 1058 - Nim
>Port 1090 - Xtreme
>
>Two other exchange servers show these ports open.
>Port 1042 - Bla
>Port 1059 - Nimreg
>
>Two questions. Does anybody know what these
>are? And am I right in assuming that these machines
>have been compromised and will need to be rebuilt?
>
>Thank you for the help.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]