RE: Think I've got trouble

From: Andrew Blevins (ABlevinsat_private)
Date: Wed Jan 09 2002 - 13:48:23 PST

  • Next message: Nexus: "Re: Think I've got trouble"

    In my unexperienced opinion, I wouldn't rebuild quite yet. Is OWA running on
    a box all by itself?  It's possible that it is conflicting in some way with
    other services on the same box. Also, a scanner like Retina will assign
    exloit/trojan names to open ports it finds on a box whether or not the box
    is truly compromised. I would do some research on OWA exploits on Bugtraq
    and Technet, and take a hard look at the machine for these known exploits
    before abandoning it.
    
    That is, unless it takes less time, and is easier for you to just rebuild!
    Good luck, and listen to the infinitly more experienced people on this list
    before my advice, just my two cents! :-)
    
    Blevins
    
    
    -----Original Message-----
    From: Katherine Ogden [mailto:kogdenat_private]
    Sent: Wednesday, January 09, 2002 9:01 AM
    To: incidentsat_private
    Subject: Think I've got trouble
    
    
    
    
    We began having trouble with our exchange server. 
    For no reason we could pin down the OWA would 
    throw up an error and stop the www service.  Being 
    the slightly paranoid sort I downloaded Retina and ran 
    it against the email server.  It showed the usual things 
    but it also showed
    Port 1058 - Nim
    Port 1090 - Xtreme
    
    Two other exchange servers show these ports open.
    Port 1042 - Bla
    Port 1059 - Nimreg
    
    Two questions.  Does anybody know what these
    are?  And am I right in assuming that these machines 
    have been compromised and will need to be rebuilt?
    
    Thank you for the help.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:10:23 PST