Firewall Wizards mailing list archives
Re: OT? New compromise.
From: jseymour () linxnet com (Jim Seymour)
Date: Wed, 28 Mar 2007 22:59:41 -0400 (EDT)
"=?ISO-8859-1?Q?Stian_=D8vrev=E5ge?=" <sovrevage () gmail com> wrote:
[snip]
And I also think that even if port so and so is listed as belonging to this and that innocent application is fairly irrelevant.
Indeed. When I see something trying to go out, the next thing I do is approach the machine's user and ask them what they were trying to do at such-and-such a time. They damn well better have been trying to do what that port's legitimate usage reflects. Otherwise that machine gets yanked off the network until the mystery is resolved.
I know for sure if I wrote a virus/worm (if that's what it is) like this I'd pick ports that would blend in.
Yup.
From what I understand a large anomaly is what made Jim do some digging,
It's not me doing the digging. My only involvement was passing-along something I'd seen on another mailing list to which I belong. The information looked sufficiently intriguing that I thought the firewall-wizards membership might likewise find it interesting, and may even have additional information.
statistics is a wonderful thing, and I'm pretty certain that statistic anomalies like this is not coincidental. The anomaly itself need not be caused by any party that means harm. But the other signs (though vague) of foul play indicates, imho, that it might well be.
The people that *are* looking into it are sufficiently concerned such that multiple entities, from a variety of areas, are looking into it. Apparently this isn't ringing any bells for anybody here. So either it's nothing at all or it really is something brand new that's just being discovered. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.linxnet.com/contact/scform.php>. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- FW: OT? New compromise. Jim Seymour (Mar 28)
- Re: FW: OT? New compromise. Victor Williams (Mar 28)
- Re: FW: OT? New compromise. Jim Seymour (Mar 28)
- Re: FW: OT? New compromise. Mitko Stoyanov (Mar 29)
- Re: FW: OT? New compromise. Jim Seymour (Mar 28)
- <Possible follow-ups>
- Re: OT? New compromise. St John, Richard (Mar 28)
- Re: OT? New compromise. J. Oquendo (Mar 28)
- Re: OT? New compromise. Stian Øvrevåge (Mar 28)
- Re: OT? New compromise. Jim Seymour (Mar 29)
- Re: OT? New compromise. Paul D. Robertson (Mar 29)
- Re: OT? New compromise. J. Oquendo (Mar 29)
- Re: OT? New compromise. Paul D. Robertson (Mar 29)
- Re: OT? New compromise. J. Oquendo (Mar 28)
- Re: OT? New compromise. Victor Williams (Mar 29)
- Re: FW: OT? New compromise. Victor Williams (Mar 28)
- Re: OT? New compromise. Mattias Ahnberg (Mar 29)
- Re: OT? New compromise. Mark (Mar 29)
- Re: OT? New compromise. Richard Golodner (Mar 29)
- Re: OT? New compromise. Frank Knobbe (Mar 31)