Security Incidents mailing list archives

Re: Compromized Windows NT machine?

From: dbroggy () manageworx com
Date: Fri, 26 Jul 2002 11:55:41 -0500

Is this an Exchange Server? I don't recall the port numbers but I 
know they were all UDP and an expensive call to Microsoft came 
back as 'this is normal'. In my case they came from the MTA and 
there is no adjustment.

----- Original Message -----
From: GabyHornik () lotus iot dtag de
Date: Friday, July 26, 2002 4:08 am
Subject: Compromized Windows NT machine?

Hello!

Recently while looking over some firewall logs I encountered some 
strangetraffic from a WinNT machine.
Every 90 minutes it tries to connect to a bulk of machines to port 
4665(normally eDonkey clients).
That alone isn't strange at all, but there's coming a bulk of 
other ports
with it, in detail
udp/smtp
udp/8004
udp/8665
udp/7665
udp/4765
udp/84
udp/2004
udp/6890
udp/28014
udp/6670

udp/smtp is coming nearly every minute, the rest every 90

minutes.


Has anybody seen this before or can anybody identify this as a

trojan?


Thanks, Gaby


-------------------------------------------------------------------
---------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Compromized Windows NT machine? GabyHornik (Jul 26)
- Re: Compromized Windows NT machine? Frank Knobbe (Jul 29)
- <Possible follow-ups>
- Re: Compromized Windows NT machine? dbroggy (Jul 26)