Re: Trojans that use LDAP

From: Patrick Patterson (ppattersonat_private)
Date: Tue Jan 15 2002 - 13:11:00 PST

  • Next message: RainbowHat: "Re: New DNS connection with SYN ACK"

    -----BEGIN PGP SIGNED MESSAGE-----
    
    Gary:
    
    Hmmm interesting:
    
    .ch is Switzerland
    c3pki is the common domain name for several US DoD PKI projects....
    
    A PKI Client that is trying to access a PKI at this address would be my guess
    at this.... PKI's usually use LDAP to look up certificates and CRL's. I would
    check the machine in question and find out if they are running any sort of
    PKI software (another option, may be their Outlook or Netscape address book
    somehow ended up configured to look at this address...)
    
    Other than that, I would try and get a packet dump, and see if it looks at
    all like LDAP Traffic (you should be able to make out cn=....,o=... or some
    such in the traffic) - If it is, then this is probably benign, if not, then
    worry. ;)
    
    Pat.
    
    
    On Tuesday 15 January 2002 09:57, Gary Porter wrote:
    > Are there any Trojans that communicate using LDAP?  A machine on our
    > internal network is trying to connect to
    > "email-ds-3.c3pki.ch" on destination Port 389?  That port (blocked by the
    > firewall) is ostensibly used for the Lightweight Directory Access Protocol,
    > but I know nothing about this service and I've been unsuccessful (using Sam
    > Spade) in locating any information about the destination address.  Is this
    > the sign of a compromise or something more benign?
    >
    > Gary R. Porter
    > Program Manager, CITS Mobile Training
    > MATCOM Corporation
    > 757-838-0212 (w)
    > 757-897-5830 (m)
    > gary.porterat_private
    >
    >
    > ---------------------------------------------------------------------------
    >- This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    - --
    
    Patrick Patterson			Tel: (514) 485-0789
    Chief Security Architect		Fax: (514) 485-4737
    Carillon Information Security Inc.	E-Mail: ppattersonat_private
    - -----------------------------------------------------------------------
    		The New Sound of Network Security
    		     http://www.carillonIS.com
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 5.0i for non-commercial use
    MessageID: Ch4IurVk1LEnKmao2RC8itGLpr7kiRan
    
    iQCVAwUBPESa6bqc3sMKNyclAQEGIgQAi6s9ThiHth2yLemgPBlu+ZbM4Ku9Ecr1
    uWFZrweZXzBe5pay4V0gKM/VFPZoD5I35DcxRCCq0g1w5ZBAXzseGdYb6bzbnVhU
    6JpGJ97GMhBm+tUyc24qIZEImfZnlyzi524Xc0klxv830WuLVVM6VQwgCA1JCVTz
    HT0WVes7+/0=
    =r7k7
    -----END PGP SIGNATURE-----
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 13:59:06 PST