Security Incidents mailing list archives
Re: Trojans that use LDAP
From: Patrick Patterson <ppatterson () carillonis com>
Date: Tue, 15 Jan 2002 16:11:00 -0500
-----BEGIN PGP SIGNED MESSAGE----- Gary: Hmmm interesting: .ch is Switzerland c3pki is the common domain name for several US DoD PKI projects.... A PKI Client that is trying to access a PKI at this address would be my guess at this.... PKI's usually use LDAP to look up certificates and CRL's. I would check the machine in question and find out if they are running any sort of PKI software (another option, may be their Outlook or Netscape address book somehow ended up configured to look at this address...) Other than that, I would try and get a packet dump, and see if it looks at all like LDAP Traffic (you should be able to make out cn=....,o=... or some such in the traffic) - If it is, then this is probably benign, if not, then worry. ;) Pat. On Tuesday 15 January 2002 09:57, Gary Porter wrote:
Are there any Trojans that communicate using LDAP? A machine on our internal network is trying to connect to "email-ds-3.c3pki.ch" on destination Port 389? That port (blocked by the firewall) is ostensibly used for the Lightweight Directory Access Protocol, but I know nothing about this service and I've been unsuccessful (using Sam Spade) in locating any information about the destination address. Is this the sign of a compromise or something more benign? Gary R. Porter Program Manager, CITS Mobile Training MATCOM Corporation 757-838-0212 (w) 757-897-5830 (m) gary.porter () matcomcorp com --------------------------------------------------------------------------- - This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- -- Patrick Patterson Tel: (514) 485-0789 Chief Security Architect Fax: (514) 485-4737 Carillon Information Security Inc. E-Mail: ppatterson () carillonIS com - ----------------------------------------------------------------------- The New Sound of Network Security http://www.carillonIS.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: Ch4IurVk1LEnKmao2RC8itGLpr7kiRan iQCVAwUBPESa6bqc3sMKNyclAQEGIgQAi6s9ThiHth2yLemgPBlu+ZbM4Ku9Ecr1 uWFZrweZXzBe5pay4V0gKM/VFPZoD5I35DcxRCCq0g1w5ZBAXzseGdYb6bzbnVhU 6JpGJ97GMhBm+tUyc24qIZEImfZnlyzi524Xc0klxv830WuLVVM6VQwgCA1JCVTz HT0WVes7+/0= =r7k7 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Trojans that use LDAP Gary Porter (Jan 15)
- Re: Trojans that use LDAP Patrick Patterson (Jan 15)
- Re: Trojans that use LDAP Hugo van der Kooij (Jan 16)
- Re: Trojans that use LDAP Kevin . Reardon (Jan 18)
- Re: Trojans that use LDAP Stephen (Jan 19)
- <Possible follow-ups>
- Re: Trojans that use LDAP GeekSpooky (Jan 17)