On Tue, 15 Jan 2002, Gary Porter wrote:
> Are there any Trojans that communicate using LDAP? A machine on our
> internal network is trying to connect to
> "email-ds-3.c3pki.ch" on destination Port 389? That port (blocked by the
> firewall) is ostensibly used for the Lightweight Directory Access Protocol,
> but I know nothing about this service and I've been unsuccessful (using Sam
> Spade) in locating any information about the destination address. Is this
> the sign of a compromise or something more benign?
Given the host name "email-ds-3.c3pki.ch" containing the three magic
letters PKI and the LDAP attempts this might very well be a server with an
addressbook in the LDAP database.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 08:58:55 PST