|
Security Incidents
mailing list archives
Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system -Frethem.K
From: H C <keydet89 () yahoo com>
Date: Tue, 6 Aug 2002 05:32:54 -0700 (PDT)
Russ,
Thanks for the follow-up on the issue...such a thing
is extremely rare, particularly in the Incidents list.
Also, the detail of the follow-up is very helpful to
folks who simply lurk on the list...
My guess is that these machines are previously
compromised systems and that this could be a way of
distributing updates or backdoors through
the network, or am I just being paranoid?
Well, I'd say that unless you have some evidence to
back it up, it's an assumption that may bite you in
the arse later. The thing is, an investigator should
never approach a system with preconceived
notions...having a theory is something different, but
having a preconceived notion means that you're not
necessarily going to look for data...you're going to
look for data that supports your assumption.
Now, if you do have information that supports your
assumption about the machines being previously
compromised...that's great. Otherwise, you're likely
to get yourself into trouble being paranoid.
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system -Frethem.K H C (Aug 06)
|
Intro
