Security Incidents mailing list archives

RE: Think I've got trouble

From: Andrew Blevins <ABlevins () arrowheadgrp com>
Date: Wed, 9 Jan 2002 13:48:23 -0800

In my unexperienced opinion, I wouldn't rebuild quite yet. Is OWA running on
a box all by itself?  It's possible that it is conflicting in some way with
other services on the same box. Also, a scanner like Retina will assign
exloit/trojan names to open ports it finds on a box whether or not the box
is truly compromised. I would do some research on OWA exploits on Bugtraq
and Technet, and take a hard look at the machine for these known exploits
before abandoning it.

That is, unless it takes less time, and is easier for you to just rebuild!
Good luck, and listen to the infinitly more experienced people on this list
before my advice, just my two cents! :-)

Blevins


-----Original Message-----
From: Katherine Ogden [mailto:kogden () 4cd net]
Sent: Wednesday, January 09, 2002 9:01 AM
To: incidents () securityfocus com
Subject: Think I've got trouble




We began having trouble with our exchange server. 
For no reason we could pin down the OWA would 
throw up an error and stop the www service.  Being 
the slightly paranoid sort I downloaded Retina and ran 
it against the email server.  It showed the usual things 
but it also showed
Port 1058 - Nim
Port 1090 - Xtreme

Two other exchange servers show these ports open.
Port 1042 - Bla
Port 1059 - Nimreg

Two questions.  Does anybody know what these
are?  And am I right in assuming that these machines 
have been compromised and will need to be rebuilt?

Thank you for the help.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Think I've got trouble Katherine Ogden (Jan 09)
- Re: Think I've got trouble Hugo van der Kooij (Jan 09)
- Re: Think I've got trouble Nexus (Jan 09)
- <Possible follow-ups>
- RE: Think I've got trouble Andrew Blevins (Jan 09)
- RE: Think I've got trouble Frank Knobbe (Jan 09)