Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised Win2000 machine.

From: H C <keydet89 () yahoo com>
Date: Wed, 29 May 2002 13:37:47 -0700 (PDT)
Mark,

Since fport.exe isn't native to any MS system, you'd
have to get it from the 'net someplace.  The thing to
do (and I do this in the IR course I teach) would be
to burn your tools to a CD.  If you can't do that,
then you can put them on a diskette and write-protect
it.

HTH.


--- Mark Newby <mark () dranton com> wrote:

H C wrote:
 > [...]

Danny took the typical action seen of most
admins...port scanning the system from the

outside,

and comparing the open ports to lists of known

trojans

and services.  This is inconclusive at best, and

leads

to a lot of speculation and time-wasting.  Better

to

run fport on the system (if NT/2K...if the system

is

XP, run netstat w/ the '-o' switch) instead, to

see

the process to port mapping.
[...]


...but I thought the advice for a (possibly)
compromised box was *not* 
to run executable programs that resided on that
host, as they can't be 
trusted?


mark





__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: