Firewall Wizards mailing list archives

Re: OT? New compromise.

From: jseymour () linxnet com (Jim Seymour)
Date: Wed, 28 Mar 2007 22:59:41 -0400 (EDT)


"=?ISO-8859-1?Q?Stian_=D8vrev=E5ge?=" <sovrevage () gmail com> wrote:

[snip]


And I also think that even if port so and so is listed as belonging to
this and that innocent application is fairly irrelevant.


Indeed.  When I see something trying to go out, the next thing I do is
approach the machine's user and ask them what they were trying to do at
such-and-such a time.  They damn well better have been trying to do
what that port's legitimate usage reflects.  Otherwise that machine
gets yanked off the network until the mystery is resolved.

                                                         I know for
sure if I wrote a virus/worm (if that's what it is) like this I'd pick
ports that would blend in.


Yup.

                           From what I understand a large anomaly is
what made Jim do some digging,


It's not me doing the digging.  My only involvement was passing-along
something I'd seen on another mailing list to which I belong.  The
information looked sufficiently intriguing that I thought the
firewall-wizards membership might likewise find it interesting, and may
even have additional information.

                               statistics is a wonderful thing, and
I'm pretty certain that statistic anomalies like this is not
coincidental. The anomaly itself need not be caused by any party that
means harm. But the other signs (though vague) of foul play indicates,
imho, that it might well be.


The people that *are* looking into it are sufficiently concerned such
that multiple entities, from a variety of areas, are looking into it.

Apparently this isn't ringing any bells for anybody here.  So either
it's nothing at all or it really is something brand new that's just
being discovered.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

FW: OT? New compromise. Jim Seymour (Mar 28)
- Re: FW: OT? New compromise. Victor Williams (Mar 28)
  - Re: FW: OT? New compromise. Jim Seymour (Mar 28)
    - Re: FW: OT? New compromise. Mitko Stoyanov (Mar 29)
- <Possible follow-ups>
- Re: OT? New compromise. St John, Richard (Mar 28)
  - Re: OT? New compromise. J. Oquendo (Mar 28)
    - Re: OT? New compromise. Stian Øvrevåge (Mar 28)
    - Re: OT? New compromise. Jim Seymour (Mar 29)
    - Re: OT? New compromise. Paul D. Robertson (Mar 29)
    - Re: OT? New compromise. J. Oquendo (Mar 29)
    - Re: OT? New compromise. Paul D. Robertson (Mar 29)
    - Re: OT? New compromise. Victor Williams (Mar 29)
    - Re: OT? New compromise. Mattias Ahnberg (Mar 29)
    - Re: OT? New compromise. Mark (Mar 29)
    - Re: OT? New compromise. Richard Golodner (Mar 29)
- Re: OT? New compromise. Mike Barkett (Mar 29)
  - Re: OT? New compromise. Frank Knobbe (Mar 31)