Security Incidents mailing list archives

RE: Think I've got trouble

From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Wed, 9 Jan 2002 20:18:27 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----Original Message-----
From: Katherine Ogden [mailto:kogden () 4cd net]
Sent: Wednesday, January 09, 2002 11:01 AM

We began having trouble with our exchange server. 
For no reason we could pin down the OWA would 
throw up an error and stop the www service.  Being 
the slightly paranoid sort I downloaded Retina and ran 
it against the email server.  It showed the usual things 
but it also showed
Port 1058 - Nim
Port 1090 - Xtreme

Two other exchange servers show these ports open.
Port 1042 - Bla
Port 1059 - Nimreg


Katherine,

as Nexus said, use FPort (or similar) to figure out the service/task
associated with that port. My guess would be 1042 - dsamain.exe and
1059 - store.exe (which is the Directory service and the Information
Store of Exchange).

However, if fport shows 1042 - winshell.exe, or any other executable
an ordinary NT server doesn't have, then yank the box and
investigate.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPDz58szYtOFvgXQfEQL2XQCfQrL5fFM5RdVMY560RaszC5xRl4oAoPjN
muuJZfeDiElaa0fLRTsAJIom
=DwWz
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Think I've got trouble Katherine Ogden (Jan 09)
- Re: Think I've got trouble Hugo van der Kooij (Jan 09)
- Re: Think I've got trouble Nexus (Jan 09)
- <Possible follow-ups>
- RE: Think I've got trouble Andrew Blevins (Jan 09)
- RE: Think I've got trouble Frank Knobbe (Jan 09)