Security Incidents mailing list archives

Re: Think I've got trouble

From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Wed, 9 Jan 2002 23:17:19 +0100 (CET)

On 9 Jan 2002, Katherine Ogden wrote:

Two other exchange servers show these ports open.
Port 1042 - Bla
Port 1059 - Nimreg

Two questions.  Does anybody know what these
are?  And am I right in assuming that these machines 
have been compromised and will need to be rebuilt?


Not nescessarily.

exchange binds to rando high ports each time it is rebooted. Can you 
verify these ports are part of exchange? (Shutdown exchange and the ports 
should be gone. After a restart you should have other ports listening.)

Fixing port numbers of exchange is described on various locations.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Think I've got trouble Katherine Ogden (Jan 09)
- Re: Think I've got trouble Hugo van der Kooij (Jan 09)
- Re: Think I've got trouble Nexus (Jan 09)
- <Possible follow-ups>
- RE: Think I've got trouble Andrew Blevins (Jan 09)
- RE: Think I've got trouble Frank Knobbe (Jan 09)