OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stonewall (stonewallcavtel.net)
Date: Thu Jan 10 2002 - 09:23:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Some Trojans can be "adjusted" to listen on practically ANY port, so don't
    rely on lists of known ports used by known Trojans. IMHO you need to scan
    all 65535 TCP and UDP ports and then start the following process for each
    port found open:
    1. Why is this port open? What running process opened it?
    2. Is this a process you WANT to be running on your box?
    3. Is this the original process that you installed on this box, or is it
    a Trojaned version which has been used to replace your process?
    4. If you can't find a good reason why this process is running on your
    box, kill it, and see what functionality you lose on your system (you might
    not know why you really need it...)
    5. If you lose nothing and none of your users complains, leave it dead.
    6. Report it.

    Have fun

    stonewall

    ----- Original Message -----
    From: "wim.remes" <wim.remesskynet.be>
    To: "focus-ms" <focus-mssecurityfocus.com>; "Katherine Ogden"
    <kogden4cd.net>
    Sent: Thursday, January 10, 2002 2:57 AM
    Subject: RE: Think I've got trouble

    > Katherine,
    >
    > I've found a page on the net that specifies the ports used by trojans
    > http://www.freewareposse.com/ports.html
    >
    > As I would see it both servers may be infected by a trojan, but I'm not
    > an Exchange Whiz and exchange might be using these ports to do something
    > useful.
    >
    > More on the Xtreme trojan may be found here:
    > http://www.glocksoft.com/trojan_list/Xtreme.htm
    >
    > More on the BLA trojan may be found here:
    > http://www.glocksoft.com/trojan_list/BLA_trojan.htm
    >
    > You might wanna download the free LANGUARD Network scanner from GFI
    Software:
    > http://www.gfi.com/languard/lantools.htm
    > It gives you a detailed view of all the hosts on your network (or the
    range
    > you put in), with OS, SP, Registry Settings, Known vulns (with a link to a
    > BUGTRAQ post or a MS advisory.
    >
    > Good luck and let us know if it was false alarm or not ?
    >
    > Cheers,
    >
    > Wim
    > >===== Original Message From Katherine Ogden <kogden4cd.net> =====
    > >We began having trouble with our exchange server.
    > >For no reason we could pin down the OWA would
    > >throw up an error and stop the www service. Being
    > >the slightly paranoid sort I downloaded Retina and ran
    > >it against the email server. It showed the usual things
    > >but it also showed
    > >Port 1058 - Nim
    > >Port 1090 - Xtreme
    > >
    > >Two other exchange servers show these ports open.
    > >Port 1042 - Bla
    > >Port 1059 - Nimreg
    > >
    > >Two questions. Does anybody know what these
    > >are? And am I right in assuming that these machines
    > >have been compromised and will need to be rebuilt?
    > >
    > >Thank you for the help.
    >
    >