Speaking of such compromises, here's an interesting article on another example of one: http://www.mynetwatchman.com/kb/security/articles/winforensics/index.htm Sorry, might be slightly O/T, but it is interesting. Enjoy! -Stacy -----Original Message----- From: Steven M. Christey [mailto:coleyat_private] Sent: Sunday, November 03, 2002 12:42 AM To: incidentsat_private Subject: Re: Port 1975 rogue service Just in case some list readers are wondering *why* this looks like an FTP server, it's because of the "220-" lines, where 220 is a standard status code. FTP banners typically have multiple "220-" lines, and the final banner line is a "220 " (the "-" is used to say "more lines are coming.") Even without knowing this signature of the FTP protocol, the banner messages suggest a multi-user server ("leechers logged in") which is used for data transfer ("kb leeched" and "kb filled"). - Steve P.S. To oversimplify, this is the sort of protocol-level knowledge that might be expected of people with lower-level GIAC certifications rather than broad-based CISSP certifications. ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 04 2002 - 08:35:30 PST