[unisog] Windows Command Prompt in the clear in the network?

Glenn Forbes Fleming Larratt gl89 at cornell.edu
Wed Oct 11 20:56:17 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

Honeypot and honeynet issues aside:

   - is the presence in the clear of a Windows Command Prompt, from a high
     TCP source port to a high destination port, *ever*
     legitimate/normal/to be expected in the Windows world?

   - if not, is that presence *always* indicate of compromise, or at least
     of a vulnerability having been exploited?

We have noted a 1-to-1 correspondence so far between compromised machines
in our network and a Command Prompt banner

     Microsoft Windows {XP,2000}...

or

     Microsoft(R) Windows NT...

appearing in the sample payload of our network flow recorder (QRadar).

Please reply to me, I will summarize to the list.

Thanks,
- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFFLVp2Lyw7nZwiKgQRAiGpAJ0bN59ES9Dbtr4BrR4zaaH/x17RDgCffmF7
yhOlmTQEKSvRAWrPEtb0Bro=
=vnyQ
-----END PGP SIGNATURE-----


More information about the unisog mailing list