Re: Think I've got trouble

["Nexus" <nexus () patrol i-way co uk>]

As they are all > 1024 they _could_ be anything - there was a thread
recently that dealt with identifying what programs were listening on what
ports.   Some of these are :

Foundstones FPort
http://www.foundstone.com/rdlabs/tools.php?category=Forensic

TCPView Pro
http://www.winternals.com/products/monitoringtools/tcpviewpro.asp

Inzider
http://www.ntsecurity.nu/toolbox/inzider

The whole thread is at
http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2002-01-06&end=2
002-01-12&threads=1&tid=246422

Cheers.

----- Original Message -----
From: "Katherine Ogden" <kogden () 4cd net>
To: <incidents () securityfocus com>
Sent: Wednesday, January 09, 2002 5:00 PM
Subject: Think I've got trouble


> We began having trouble with our exchange server.
> For no reason we could pin down the OWA would
> throw up an error and stop the www service.  Being
> the slightly paranoid sort I downloaded Retina and ran
> it against the email server.  It showed the usual things
> but it also showed
> Port 1058 - Nim
> Port 1090 - Xtreme
>
> Two other exchange servers show these ports open.
> Port 1042 - Bla
> Port 1059 - Nimreg
>
> Two questions.  Does anybody know what these
> are?  And am I right in assuming that these machines
> have been compromised and will need to be rebuilt?
>
> Thank you for the help.
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com