Matt, > > 7 Echo > > 9 Discard [list of ports truncated] > > The client claims that they are not running > Appletalk (548) but I'm not > sure > > whether to believe. We haven't been able to get > console access to that > > machine to do any further investigation (but have > blocked it upstream). Of > > the above services, most look legit from what I > can tell with the > exception > > of 548 and 1025-1027 > > Most probably your client has been rooted. Based on a list of open ports derived from a port scan, how can you say that? Until some very basic information is collected from the system...which the client can do themselves...using fport, pslist, psservice, listdlls, etc...there's really no way to tell what's going on. Given that trojans are configureable, and also given that some trojans use known ports, using lists of trojans and a port scan isn't a very conclusive means of investigating. __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 14:01:25 PST