Security Incidents: Re: Compromized Windows NT machine?

[dbroggy () manageworx com]

Is this an Exchange Server? I don't recall the port numbers but I 
know they were all UDP and an expensive call to Microsoft came 
back as 'this is normal'. In my case they came from the MTA and 
there is no adjustment.

----- Original Message -----
From: GabyHornik () lotus iot dtag de
Date: Friday, July 26, 2002 4:08 am
Subject: Compromized Windows NT machine?

> Hello!
>
> Recently while looking over some firewall logs I encountered some 
> strangetraffic from a WinNT machine.
> Every 90 minutes it tries to connect to a bulk of machines to port 
> 4665(normally eDonkey clients).
> That alone isn't strange at all, but there's coming a bulk of 
> other ports
> with it, in detail
> udp/smtp
> udp/8004
> udp/8665
> udp/7665
> udp/4765
> udp/84
> udp/2004
> udp/6890
> udp/28014
> udp/6670
>
> udp/smtp is coming nearly every minute, the rest every 90 
minutes.
> Has anybody seen this before or can anybody identify this as a 
trojan?
> Thanks, Gaby
>
>
> -------------------------------------------------------------------
> ---------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com