On Tue, 15 Jan 2002, Gary Porter wrote: > Are there any Trojans that communicate using LDAP? A machine on our > internal network is trying to connect to > "email-ds-3.c3pki.ch" on destination Port 389? That port (blocked by the > firewall) is ostensibly used for the Lightweight Directory Access Protocol, > but I know nothing about this service and I've been unsuccessful (using Sam > Spade) in locating any information about the destination address. Is this > the sign of a compromise or something more benign? Given the host name "email-ds-3.c3pki.ch" containing the three magic letters PKI and the LDAP attempts this might very well be a server with an addressbook in the LDAP database. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 08:58:55 PST