Security Basics mailing list archives
re: Windows 2000 Server Attacks
From: H C <keydet89 () yahoo com>
Date: Fri, 21 Feb 2003 08:28:50 -0800 (PST)
Paul,
The filename of the software that is responsible we believe to be msudb32.exe
how did you come to this conclusion? Did you run fport to determine that this is the file/process using port 24? What other services do you have running? HTTP? FTP? How about your EventLogs? Do they show any unusual login attempts, or successful logins? Have you run tools such as listdlls and handle to determine the user context of the process and the full path to the file, respectively? If you like, feel free to archive a copy of the file in question and send it to me.
Software seems to get installed that is trying to
make
outbound connections via port 24.
More appropriately, one would think that software "seems to have been installed", based on your description. Is this the file you referred to? If so, how did you determine this to be the case?
We are seeing a whack of attempts to connect on various ports ranging between 20000 and 50000.
What does this mean? Are you being scanned? Does "whack" mean that they are SYN packets that are not being responded to? Drop me a line if you'd like a hand w/ this... __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Current thread:
- RE: Windows 2000 Server Attacks Mark Stunnenberg (Feb 22)
- <Possible follow-ups>
- re: Windows 2000 Server Attacks H C (Feb 22)