Re: Trojans that use LDAP

From: Patrick Patterson (ppattersonat_private)
Date: Tue Jan 15 2002 - 13:11:00 PST

Next message: RainbowHat: "Re: New DNS connection with SYN ACK"

Previous message: Andrew Simmons: "Re: Connection Attempts"
Next in thread: Hugo van der Kooij: "Re: Trojans that use LDAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Gary:

Hmmm interesting:

.ch is Switzerland
c3pki is the common domain name for several US DoD PKI projects....

A PKI Client that is trying to access a PKI at this address would be my guess
at this.... PKI's usually use LDAP to look up certificates and CRL's. I would
check the machine in question and find out if they are running any sort of
PKI software (another option, may be their Outlook or Netscape address book
somehow ended up configured to look at this address...)

Other than that, I would try and get a packet dump, and see if it looks at
all like LDAP Traffic (you should be able to make out cn=....,o=... or some
such in the traffic) - If it is, then this is probably benign, if not, then
worry. ;)

Pat.


On Tuesday 15 January 2002 09:57, Gary Porter wrote:
> Are there any Trojans that communicate using LDAP?  A machine on our
> internal network is trying to connect to
> "email-ds-3.c3pki.ch" on destination Port 389?  That port (blocked by the
> firewall) is ostensibly used for the Lightweight Directory Access Protocol,
> but I know nothing about this service and I've been unsuccessful (using Sam
> Spade) in locating any information about the destination address.  Is this
> the sign of a compromise or something more benign?
>
> Gary R. Porter
> Program Manager, CITS Mobile Training
> MATCOM Corporation
> 757-838-0212 (w)
> 757-897-5830 (m)
> gary.porterat_private
>
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

- --

Patrick Patterson			Tel: (514) 485-0789
Chief Security Architect		Fax: (514) 485-4737
Carillon Information Security Inc.	E-Mail: ppattersonat_private
- -----------------------------------------------------------------------
		The New Sound of Network Security
		     http://www.carillonIS.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: Ch4IurVk1LEnKmao2RC8itGLpr7kiRan

iQCVAwUBPESa6bqc3sMKNyclAQEGIgQAi6s9ThiHth2yLemgPBlu+ZbM4Ku9Ecr1
uWFZrweZXzBe5pay4V0gKM/VFPZoD5I35DcxRCCq0g1w5ZBAXzseGdYb6bzbnVhU
6JpGJ97GMhBm+tUyc24qIZEImfZnlyzi524Xc0klxv830WuLVVM6VQwgCA1JCVTz
HT0WVes7+/0=
=r7k7
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: RainbowHat: "Re: New DNS connection with SYN ACK"
Previous message: Andrew Simmons: "Re: Connection Attempts"
Next in thread: Hugo van der Kooij: "Re: Trojans that use LDAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 13:59:06 PST