Re: Think I've got trouble

From: Hugo van der Kooij (hvdkooijat_private)
Date: Wed Jan 09 2002 - 14:17:19 PST

  • Next message: Hugo van der Kooij: "Re: Name that Trojan"

    On 9 Jan 2002, Katherine Ogden wrote:
    
    > Two other exchange servers show these ports open.
    > Port 1042 - Bla
    > Port 1059 - Nimreg
    > 
    > Two questions.  Does anybody know what these
    > are?  And am I right in assuming that these machines 
    > have been compromised and will need to be rebuilt?
    
    Not nescessarily.
    
    exchange binds to rando high ports each time it is rebooted. Can you 
    verify these ports are part of exchange? (Shutdown exchange and the ports 
    should be gone. After a restart you should have other ports listening.)
    
    Fixing port numbers of exchange is described on various locations.
    
    Hugo.
    
    -- 
    All email send to me is bound to the rules described on my homepage.
        hvdkooijat_private		http://hvdkooij.xs4all.nl/
    	    Don't meddle in the affairs of sysadmins,
    	    for they are subtle and quick to anger.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:55:44 PST