Re: Compromised Win2000 machine.

From: Mark Newby (markat_private)
Date: Wed May 29 2002 - 13:38:00 PDT

Next message: Patrick Andry: "Re: Compromised Win2000 machine."

Previous message: Brett Glass: "Re: odd scans?"
In reply to: H C: "RE: Compromised Win2000 machine."
Next in thread: H C: "Re: Compromised Win2000 machine."
Reply: H C: "Re: Compromised Win2000 machine."
Reply: H C: "Re: Compromised Win2000 machine."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

H C wrote:
 > [...]
> Danny took the typical action seen of most
> admins...port scanning the system from the outside,
> and comparing the open ports to lists of known trojans
> and services.  This is inconclusive at best, and leads
> to a lot of speculation and time-wasting.  Better to
> run fport on the system (if NT/2K...if the system is
> XP, run netstat w/ the '-o' switch) instead, to see
> the process to port mapping.
> [...]

...but I thought the advice for a (possibly) compromised box was *not* 
to run executable programs that resided on that host, as they can't be 
trusted?


mark



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Patrick Andry: "Re: Compromised Win2000 machine."
Previous message: Brett Glass: "Re: odd scans?"
In reply to: H C: "RE: Compromised Win2000 machine."
Next in thread: H C: "Re: Compromised Win2000 machine."
Reply: H C: "Re: Compromised Win2000 machine."
Reply: H C: "Re: Compromised Win2000 machine."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 29 2002 - 14:35:38 PDT