Security Incidents mailing list archives

Re: Trojans that use LDAP

From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Wed, 16 Jan 2002 00:30:14 +0100 (CET)

On Tue, 15 Jan 2002, Gary Porter wrote:

Are there any Trojans that communicate using LDAP?  A machine on our
internal network is trying to connect to
"email-ds-3.c3pki.ch" on destination Port 389?  That port (blocked by the
firewall) is ostensibly used for the Lightweight Directory Access Protocol,
but I know nothing about this service and I've been unsuccessful (using Sam
Spade) in locating any information about the destination address.  Is this
the sign of a compromise or something more benign?


Given the host name "email-ds-3.c3pki.ch" containing the three magic 
letters PKI and the LDAP attempts this might very well be a server with an 
addressbook in the LDAP database.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Trojans that use LDAP Gary Porter (Jan 15)
- Re: Trojans that use LDAP Patrick Patterson (Jan 15)
- Re: Trojans that use LDAP Hugo van der Kooij (Jan 16)
- Re: Trojans that use LDAP Kevin . Reardon (Jan 18)
  - Re: Trojans that use LDAP Stephen (Jan 19)
- <Possible follow-ups>
- Re: Trojans that use LDAP GeekSpooky (Jan 17)