Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VirusWall?

From: Fernando Cardoso <fernando () BN PT>
Date: Thu, 12 Oct 2000 11:14:57 +0100
Could be something more sinister. Netscape Certificate Management System
uses a LDAP Directory to store users' PINs. Although you can have the LDAP
directory listening on whatever port you want, in the documentation
(http://docs.iplanet.com/docs/manuals/cms/41/adm_gide/auth_pin.htm) port
19000 is used as an example...

Just my 5 Escudos (about $0.02 :)

Fernando


_________________________________________________________
Fernando Cardoso              Phone:   +351 21 7982186
Network Administrator         Fax:     +351 21 7982185
National Library              E-mail:  fernando () bn pt
Portugal                      PGP ID:  28551CB8 



-----Original Message-----
From: George Bakos [mailto:alpinista () BIGFOOT COM]
Sent: terça-feira, 10 de Outubro de 2000 15:57
To: INCIDENTS () SECURITYFOCUS COM
Subject: VirusWall?


The nature of the following activity hasn't yet been pinned 
down by the
organizational folks at the source, but it does smack of evil 
doings.  Port
19000 is the default listener for one of the sendmail daemons of
TrendMicro's VirusWall "sandwich" configuration.  Note the 
sequence & IP id
numbers as well:

04:34:39.469094 146.9.31.161.20 > good.guys.net.host32.19000: 
S 1:1(0) win 16383 (DF) (ttl 236, id 20831)
04:34:39.475976 146.9.31.161.20 > good.guys.net.host33.19000: 
S 1:1(0) win 16383 (DF) (ttl 236, id 20831)
04:34:39.482850 146.9.31.161.20 > good.guys.net.host34.19000: 
S 1:1(0) win 16383 (DF) (ttl 236, id 20831)
04:34:39.521424 146.9.31.161.20 > good.guys.net.host40.19000: 
S 1:1(0) win 16383 (DF) (ttl 236, id 20841)
04:34:39.594107 146.9.31.161.20 > good.guys.net.host50.19000: 
S 1:1(0) win 16383 (DF) (ttl 236, id 20911)
04:34:39.662068 146.9.31.161.20 > good.guys.net.host60.19000: 
S 1:1(0) win 16383 (DF) (ttl 236, id 20911)

Correlation:  rbernadino () bta pt posted a similar trace to
firewalls () lists gnac net one hour after this one was logged.

If using VirusWall, consider using ports other than the 
default, as well as
enabling anti-relaying and firewalling to allow traffic only from
the VirusWall host to the internal mail daemon, bastion-host style.

--
George Bakos, Security Engineer
Electronic Warfare Associates-Information & Infrastructure 
Technologies
alpinista () bigfoot com
802-338-3213
Previous By Date Next
Previous By Thread Next

Current thread: