Security Incidents mailing list archives
VirusWall?
From: George Bakos <alpinista () BIGFOOT COM>
Date: Tue, 10 Oct 2000 10:56:54 -0400
The nature of the following activity hasn't yet been pinned down by the organizational folks at the source, but it does smack of evil doings. Port 19000 is the default listener for one of the sendmail daemons of TrendMicro's VirusWall "sandwich" configuration. Note the sequence & IP id numbers as well: 04:34:39.469094 146.9.31.161.20 > good.guys.net.host32.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831) 04:34:39.475976 146.9.31.161.20 > good.guys.net.host33.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831) 04:34:39.482850 146.9.31.161.20 > good.guys.net.host34.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831) 04:34:39.521424 146.9.31.161.20 > good.guys.net.host40.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20841) 04:34:39.594107 146.9.31.161.20 > good.guys.net.host50.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20911) 04:34:39.662068 146.9.31.161.20 > good.guys.net.host60.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20911) Correlation: rbernadino () bta pt posted a similar trace to firewalls () lists gnac net one hour after this one was logged. If using VirusWall, consider using ports other than the default, as well as enabling anti-relaying and firewalling to allow traffic only from the VirusWall host to the internal mail daemon, bastion-host style. -- George Bakos, Security Engineer Electronic Warfare Associates-Information & Infrastructure Technologies alpinista () bigfoot com 802-338-3213
Current thread:
- VirusWall? George Bakos (Oct 11)
- <Possible follow-ups>
- Re: VirusWall? Fernando Cardoso (Oct 12)