Home page logo
/

basics logo Security Basics mailing list archives

re: Windows 2000 Server Attacks
From: H C <keydet89 () yahoo com>
Date: Fri, 21 Feb 2003 08:28:50 -0800 (PST)

Paul,

The filename of the software that is responsible we
believe to be msudb32.exe

how did you come to this conclusion?  Did you run
fport to determine that this is the file/process using
port 24?  

What other services do you have running?  HTTP?  FTP? 
How about your EventLogs?  Do they show any unusual
login attempts, or successful logins?

Have you run tools such as listdlls and handle to
determine the user context of the process and the full
path to the file, respectively?

If you like, feel free to archive a copy of the file
in question and send it to me.

Software seems to get installed that is trying to
make
outbound connections via port 24. 

More appropriately, one would think that software
"seems to have been installed", based on your
description.  Is this the file you referred to?  If
so, how did you determine this to be the case?

We are seeing a whack of attempts to connect on
various ports ranging between 20000 and 50000.

What does this mean?  Are you being scanned?  Does
"whack" mean that they are SYN packets that are not
being responded to?

Drop me a line if you'd like a hand w/ this...



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault