Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DDoS to microsoft sites

From: H C <keydet89 () yahoo com>
Date: Wed, 30 Jan 2002 11:44:22 -0800 (PST)
Matt,


     7  Echo
     9  Discard


[list of ports truncated]


The client claims that they are not running

Appletalk (548) but I'm not
sure

whether to believe. We haven't been able to get

console access to that

machine to do any further investigation (but have

blocked it upstream). Of

the above services, most look legit from what I

can tell with the
exception

of 548 and 1025-1027


Most probably your client has been rooted. 


Based on a list of open ports derived from a port
scan, how can you say that?


Until some very basic information is collected from
the system...which the client can do
themselves...using fport, pslist, psservice, listdlls,
etc...there's really no way to tell what's going on. 

Given that trojans are configureable, and also given
that some trojans use known ports, using lists of
trojans and a port scan isn't a very conclusive means
of investigating.


__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: