Security Incidents mailing list archives

Re: Port Zero

From: Andrew Simmons <asimmons () messagelabs com>
Date: Tue, 19 Jul 2005 15:46:12 +0100

nony101 () last za net wrote:

I had in incident yesterday (18 June 2005),


I guess you meant July :)

where a client's Windows box listed almost every possible port as open,

>listening in the same way described above. Similiar netstat -an output

as above. From my experience this isn't normal.


ditto

A few hours later the machine rapidly starting sending packets torandom addresses on port 443.

I guess you mean "apparently random" in that you couldn't see apattern... were the IPs probed running HTTPS servers? Did you get apacket capture? Was there any other traffic from this machine - ICMP?



\a

(speaking for myself only)

--
Andrew Simmons
Technical Security Consultant
MessageLabs

Mobile: +44 (7917) 178745
asimmons () messagelabs com
 www.messagelabs.com

MessageLabs - Be certain

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.

For more information please visit http://www.messagelabs.com/email______________________________________________________________________

Current thread:

mysql attack, (continued)
- - - mysql attack Pall Thayer (Jul 19)
    - Re: mysql attack Joel Esler (Jul 19)
    - Re: mysql attack W. Guhan Iyer (Jul 19)
    - Re: mysql attack Pall Thayer (Jul 21)
- Re: Port Zero Pieter de Boer (Jul 17)
- RE: Port Zero Wimpie du Plessis (Jul 18)
- Re: Port Zero windows (Jul 17)
- RE: Port Zero Jim Harrison (ISA) (Jul 18)
- Re: Port Zero nony101 (Jul 19)
  - Re: Port Zero Harlan Carvey (Jul 19)
  - Re: Port Zero Andrew Simmons (Jul 19)