Security Incidents mailing list archives
Re: VirusWall?
From: Fernando Cardoso <fernando () BN PT>
Date: Thu, 12 Oct 2000 11:14:57 +0100
Could be something more sinister. Netscape Certificate Management System uses a LDAP Directory to store users' PINs. Although you can have the LDAP directory listening on whatever port you want, in the documentation (http://docs.iplanet.com/docs/manuals/cms/41/adm_gide/auth_pin.htm) port 19000 is used as an example... Just my 5 Escudos (about $0.02 :) Fernando _________________________________________________________ Fernando Cardoso Phone: +351 21 7982186 Network Administrator Fax: +351 21 7982185 National Library E-mail: fernando () bn pt Portugal PGP ID: 28551CB8
-----Original Message----- From: George Bakos [mailto:alpinista () BIGFOOT COM] Sent: terça-feira, 10 de Outubro de 2000 15:57 To: INCIDENTS () SECURITYFOCUS COM Subject: VirusWall? The nature of the following activity hasn't yet been pinned down by the organizational folks at the source, but it does smack of evil doings. Port 19000 is the default listener for one of the sendmail daemons of TrendMicro's VirusWall "sandwich" configuration. Note the sequence & IP id numbers as well: 04:34:39.469094 146.9.31.161.20 > good.guys.net.host32.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831) 04:34:39.475976 146.9.31.161.20 > good.guys.net.host33.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831) 04:34:39.482850 146.9.31.161.20 > good.guys.net.host34.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831) 04:34:39.521424 146.9.31.161.20 > good.guys.net.host40.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20841) 04:34:39.594107 146.9.31.161.20 > good.guys.net.host50.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20911) 04:34:39.662068 146.9.31.161.20 > good.guys.net.host60.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20911) Correlation: rbernadino () bta pt posted a similar trace to firewalls () lists gnac net one hour after this one was logged. If using VirusWall, consider using ports other than the default, as well as enabling anti-relaying and firewalling to allow traffic only from the VirusWall host to the internal mail daemon, bastion-host style. -- George Bakos, Security Engineer Electronic Warfare Associates-Information & Infrastructure Technologies alpinista () bigfoot com 802-338-3213
Current thread:
- VirusWall? George Bakos (Oct 11)
- <Possible follow-ups>
- Re: VirusWall? Fernando Cardoso (Oct 12)