Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system -Frethem.K

From: H C (keydet89at_private)
Date: Tue Aug 06 2002 - 05:32:54 PDT

  • Next message: David Thiel: "Re: Scanning Port UDP 4668"

    Thanks for the follow-up on the issue...such a thing
    is extremely rare, particularly in the Incidents list.
     Also, the detail of the follow-up is very helpful to
    folks who simply lurk on the list...
    > My guess is that these machines are previously 
    > compromised systems and that this could be a way of 
    > distributing updates or backdoors through
    > the network, or am I just being paranoid? 
    Well, I'd say that unless you have some evidence to
    back it up, it's an assumption that may bite you in
    the arse later.  The thing is, an investigator should
    never approach a system with preconceived
    notions...having a theory is something different, but
    having a preconceived notion means that you're not
    necessarily going to look for're going to
    look for data that supports your assumption.
    Now, if you do have information that supports your
    assumption about the machines being previously
    compromised...that's great.  Otherwise, you're likely
    to get yourself into trouble being paranoid.
    Do You Yahoo!?
    Yahoo! Health - Feel better, live better
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 09:14:22 PDT