Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system -Frethem.K

[H C <keydet89 () yahoo com>]

Russ,

Thanks for the follow-up on the issue...such a thing
is extremely rare, particularly in the Incidents list.
 Also, the detail of the follow-up is very helpful to
folks who simply lurk on the list...

> My guess is that these machines are previously 
> compromised systems and that this could be a way of 
> distributing updates or backdoors through
> the network, or am I just being paranoid? 

Well, I'd say that unless you have some evidence to
back it up, it's an assumption that may bite you in
the arse later.  The thing is, an investigator should
never approach a system with preconceived
notions...having a theory is something different, but
having a preconceived notion means that you're not
necessarily going to look for data...you're going to
look for data that supports your assumption.

Now, if you do have information that supports your
assumption about the machines being previously
compromised...that's great.  Otherwise, you're likely
to get yourself into trouble being paranoid.



__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com