Security Incidents mailing list archives
Re: Port Zero
From: Andrew Simmons <asimmons () messagelabs com>
Date: Tue, 19 Jul 2005 15:46:12 +0100
nony101 () last za net wrote:
I had in incident yesterday (18 June 2005),
I guess you meant July :)
where a client's Windows box listed almost every possible port as open,
>listening in the same way described above. Similiar netstat -an output
as above. From my experience this isn't normal.
ditto
A few hours later the machine rapidly starting sending packets to random addresses on port 443.
I guess you mean "apparently random" in that you couldn't see a pattern... were the IPs probed running HTTPS servers? Did you get a packet capture? Was there any other traffic from this machine - ICMP?
\a (speaking for myself only) -- Andrew Simmons Technical Security Consultant MessageLabs Mobile: +44 (7917) 178745 asimmons () messagelabs com www.messagelabs.com MessageLabs - Be certain ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Current thread:
- mysql attack, (continued)
- mysql attack Pall Thayer (Jul 19)
- Re: mysql attack Joel Esler (Jul 19)
- Re: mysql attack W. Guhan Iyer (Jul 19)
- Re: mysql attack Pall Thayer (Jul 21)
- Re: Port Zero Harlan Carvey (Jul 19)
- Re: Port Zero Andrew Simmons (Jul 19)