Re: Compromised Win2000 machine.

From: Mark Newby (markat_private)
Date: Wed May 29 2002 - 13:38:00 PDT

  • Next message: Patrick Andry: "Re: Compromised Win2000 machine."

    H C wrote:
     > [...]
    > Danny took the typical action seen of most
    > admins...port scanning the system from the outside,
    > and comparing the open ports to lists of known trojans
    > and services.  This is inconclusive at best, and leads
    > to a lot of speculation and time-wasting.  Better to
    > run fport on the system (if NT/2K...if the system is
    > XP, run netstat w/ the '-o' switch) instead, to see
    > the process to port mapping.
    > [...]
    ...but I thought the advice for a (possibly) compromised box was *not* 
    to run executable programs that resided on that host, as they can't be 
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 14:35:38 PDT