Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Port 1975 rogue service

From: "Stacy Olivas" <olivas () digiflux org>
Date: Sun, 3 Nov 2002 18:18:37 +0100
Speaking of such compromises, here's an interesting article on another
example of one:
http://www.mynetwatchman.com/kb/security/articles/winforensics/index.htm

Sorry, might be slightly O/T, but it is interesting.

Enjoy!

-Stacy

-----Original Message-----
From: Steven M. Christey [mailto:coley () linus mitre org] 
Sent: Sunday, November 03, 2002 12:42 AM
To: incidents () securityfocus com
Subject: Re: Port 1975 rogue service


Just in case some list readers are wondering *why* this looks like an
FTP server, it's because of the "220-" lines, where 220 is a standard
status code.  FTP banners typically have multiple "220-" lines, and
the final banner line is a "220 " (the "-" is used to say "more lines
are coming.")

Even without knowing this signature of the FTP protocol, the banner
messages suggest a multi-user server ("leechers logged in") which is
used for data transfer ("kb leeched" and "kb filled").

- Steve

P.S.  To oversimplify, this is the sort of protocol-level knowledge
that might be expected of people with lower-level GIAC certifications
rather than broad-based CISSP certifications.

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: