RE: Think I've got trouble

From: Frank Knobbe (FKnobbeat_private)
Date: Wed Jan 09 2002 - 18:18:27 PST

  • Next message: Qualys, Inc.: "Remote Shell Trojan b"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    > -----Original Message-----
    > From: Katherine Ogden [mailto:kogdenat_private]
    > Sent: Wednesday, January 09, 2002 11:01 AM
    > 
    > We began having trouble with our exchange server. 
    > For no reason we could pin down the OWA would 
    > throw up an error and stop the www service.  Being 
    > the slightly paranoid sort I downloaded Retina and ran 
    > it against the email server.  It showed the usual things 
    > but it also showed
    > Port 1058 - Nim
    > Port 1090 - Xtreme
    > 
    > Two other exchange servers show these ports open.
    > Port 1042 - Bla
    > Port 1059 - Nimreg
    
    Katherine,
    
    as Nexus said, use FPort (or similar) to figure out the service/task
    associated with that port. My guess would be 1042 - dsamain.exe and
    1059 - store.exe (which is the Directory service and the Information
    Store of Exchange).
    
    However, if fport shows 1042 - winshell.exe, or any other executable
    an ordinary NT server doesn't have, then yank the box and
    investigate.
    
    Regards,
    Frank
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.8
    Comment: PGP or S/MIME (X.509) encrypted email preferred.
    
    iQA/AwUBPDz58szYtOFvgXQfEQL2XQCfQrL5fFM5RdVMY560RaszC5xRl4oAoPjN
    muuJZfeDiElaa0fLRTsAJIom
    =DwWz
    -----END PGP SIGNATURE-----
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 21:10:12 PST