RE: DDoS to microsoft sites

From: H C (keydet89at_private)
Date: Wed Jan 30 2002 - 11:44:22 PST

  • Next message: sgtphou@fire-eyes.yi.org: "Re: Odd scan"

    Matt,
    
    > >      7  Echo
    > >      9  Discard
    
    [list of ports truncated]
    
    > > The client claims that they are not running
    > Appletalk (548) but I'm not
    > sure
    > > whether to believe. We haven't been able to get
    > console access to that
    > > machine to do any further investigation (but have
    > blocked it upstream). Of
    > > the above services, most look legit from what I
    > can tell with the
    > exception
    > > of 548 and 1025-1027
    > 
    > Most probably your client has been rooted. 
    
    Based on a list of open ports derived from a port
    scan, how can you say that?
    
    
    Until some very basic information is collected from
    the system...which the client can do
    themselves...using fport, pslist, psservice, listdlls,
    etc...there's really no way to tell what's going on. 
    
    Given that trojans are configureable, and also given
    that some trojans use known ports, using lists of
    trojans and a port scan isn't a very conclusive means
    of investigating.
    
    
    __________________________________________________
    Do You Yahoo!?
    Great stuff seeking new owners in Yahoo! Auctions! 
    http://auctions.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 14:01:25 PST