Security Incidents mailing list archives
Re: Compromized Windows NT machine?
From: dbroggy () manageworx com
Date: Fri, 26 Jul 2002 11:55:41 -0500
Is this an Exchange Server? I don't recall the port numbers but I know they were all UDP and an expensive call to Microsoft came back as 'this is normal'. In my case they came from the MTA and there is no adjustment. ----- Original Message ----- From: GabyHornik () lotus iot dtag de Date: Friday, July 26, 2002 4:08 am Subject: Compromized Windows NT machine?
Hello! Recently while looking over some firewall logs I encountered some strangetraffic from a WinNT machine. Every 90 minutes it tries to connect to a bulk of machines to port 4665(normally eDonkey clients). That alone isn't strange at all, but there's coming a bulk of other ports with it, in detail udp/smtp udp/8004 udp/8665 udp/7665 udp/4765 udp/84 udp/2004 udp/6890 udp/28014 udp/6670 udp/smtp is coming nearly every minute, the rest every 90
minutes.
Has anybody seen this before or can anybody identify this as a
trojan?
Thanks, Gaby ------------------------------------------------------------------- --------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromized Windows NT machine? GabyHornik (Jul 26)
- Re: Compromized Windows NT machine? Frank Knobbe (Jul 29)
- <Possible follow-ups>
- Re: Compromized Windows NT machine? dbroggy (Jul 26)