Re: Think I've got trouble

From: Nexus (nexusat_private-way.co.uk)
Date: Wed Jan 09 2002 - 13:57:47 PST

  • Next message: Greg Dotoli: "Re: [Think I've got trouble]"

    As they are all > 1024 they _could_ be anything - there was a thread
    recently that dealt with identifying what programs were listening on what
    ports.   Some of these are :
    
    Foundstones FPort
    http://www.foundstone.com/rdlabs/tools.php?category=Forensic
    
    TCPView Pro
    http://www.winternals.com/products/monitoringtools/tcpviewpro.asp
    
    Inzider
    http://www.ntsecurity.nu/toolbox/inzider
    
    The whole thread is at
    http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2002-01-06&end=2
    002-01-12&threads=1&tid=246422
    
    Cheers.
    
    ----- Original Message -----
    From: "Katherine Ogden" <kogdenat_private>
    To: <incidentsat_private>
    Sent: Wednesday, January 09, 2002 5:00 PM
    Subject: Think I've got trouble
    
    
    >
    >
    > We began having trouble with our exchange server.
    > For no reason we could pin down the OWA would
    > throw up an error and stop the www service.  Being
    > the slightly paranoid sort I downloaded Retina and ran
    > it against the email server.  It showed the usual things
    > but it also showed
    > Port 1058 - Nim
    > Port 1090 - Xtreme
    >
    > Two other exchange servers show these ports open.
    > Port 1042 - Bla
    > Port 1059 - Nimreg
    >
    > Two questions.  Does anybody know what these
    > are?  And am I right in assuming that these machines
    > have been compromised and will need to be rebuilt?
    >
    > Thank you for the help.
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:14:53 PST