Security Incidents mailing list archives
Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system -Frethem.K
From: H C <keydet89 () yahoo com>
Date: Tue, 6 Aug 2002 05:32:54 -0700 (PDT)
Russ, Thanks for the follow-up on the issue...such a thing is extremely rare, particularly in the Incidents list. Also, the detail of the follow-up is very helpful to folks who simply lurk on the list...
My guess is that these machines are previously compromised systems and that this could be a way of distributing updates or backdoors through the network, or am I just being paranoid?
Well, I'd say that unless you have some evidence to back it up, it's an assumption that may bite you in the arse later. The thing is, an investigator should never approach a system with preconceived notions...having a theory is something different, but having a preconceived notion means that you're not necessarily going to look for data...you're going to look for data that supports your assumption. Now, if you do have information that supports your assumption about the machines being previously compromised...that's great. Otherwise, you're likely to get yourself into trouble being paranoid. __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system -Frethem.K H C (Aug 06)