Security Incidents mailing list archives
RE: DDoS to microsoft sites
From: H C <keydet89 () yahoo com>
Date: Wed, 30 Jan 2002 11:44:22 -0800 (PST)
Matt,
7 Echo 9 Discard
[list of ports truncated]
The client claims that they are not runningAppletalk (548) but I'm not surewhether to believe. We haven't been able to getconsole access to thatmachine to do any further investigation (but haveblocked it upstream). Ofthe above services, most look legit from what Ican tell with the exceptionof 548 and 1025-1027Most probably your client has been rooted.
Based on a list of open ports derived from a port scan, how can you say that? Until some very basic information is collected from the system...which the client can do themselves...using fport, pslist, psservice, listdlls, etc...there's really no way to tell what's going on. Given that trojans are configureable, and also given that some trojans use known ports, using lists of trojans and a port scan isn't a very conclusive means of investigating. __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DDoS to microsoft sites Mike Lewinski (Jan 29)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)
- Re: DDoS to microsoft sites Mike Lewinski (Jan 30)
- Re: DDoS to microsoft sites Hugo van der Kooij (Jan 30)
- <Possible follow-ups>
- RE: DDoS to microsoft sites John Campbell (Jan 30)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites H C (Jan 30)
- RE: DDoS to microsoft sites Jason Robertson (Jan 31)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites Dave Ockwell-Jenner (Jan 30)
- Re: Re: DDoS to microsoft sites Mike Lewinski (Jan 31)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)