re: Windows 2000 Server Attacks

[H C <keydet89 () yahoo com>]

Paul,

> The filename of the software that is responsible we
> believe to be msudb32.exe

how did you come to this conclusion?  Did you run
fport to determine that this is the file/process using
port 24?  

What other services do you have running?  HTTP?  FTP? 
How about your EventLogs?  Do they show any unusual
login attempts, or successful logins?

Have you run tools such as listdlls and handle to
determine the user context of the process and the full
path to the file, respectively?

If you like, feel free to archive a copy of the file
in question and send it to me.

> Software seems to get installed that is trying to
make
> outbound connections via port 24. 

More appropriately, one would think that software
"seems to have been installed", based on your
description.  Is this the file you referred to?  If
so, how did you determine this to be the case?

> We are seeing a whack of attempts to connect on
> various ports ranging between 20000 and 50000.

What does this mean?  Are you being scanned?  Does
"whack" mean that they are SYN packets that are not
being responded to?

Drop me a line if you'd like a hand w/ this...



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/