Re: Trojans that use LDAP

From: Hugo van der Kooij (hvdkooijat_private)
Date: Tue Jan 15 2002 - 15:30:14 PST

  • Next message: rootat_private: "Comcast.net abuse contact?"

    On Tue, 15 Jan 2002, Gary Porter wrote:
    
    > Are there any Trojans that communicate using LDAP?  A machine on our
    > internal network is trying to connect to
    > "email-ds-3.c3pki.ch" on destination Port 389?  That port (blocked by the
    > firewall) is ostensibly used for the Lightweight Directory Access Protocol,
    > but I know nothing about this service and I've been unsuccessful (using Sam
    > Spade) in locating any information about the destination address.  Is this
    > the sign of a compromise or something more benign?
    
    Given the host name "email-ds-3.c3pki.ch" containing the three magic 
    letters PKI and the LDAP attempts this might very well be a server with an 
    addressbook in the LDAP database.
    
    Hugo.
    
    -- 
    All email send to me is bound to the rules described on my homepage.
        hvdkooijat_private		http://hvdkooij.xs4all.nl/
    	    Don't meddle in the affairs of sysadmins,
    	    for they are subtle and quick to anger.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 08:58:55 PST