[unisog] Windows Command Prompt in the clear in the network?

Schley Andrew Kutz a.kutz at its.utexas.edu
Wed Oct 11 21:05:07 GMT 2006


Possibly, if someone was initiating DCOM from a command prompt.  All
those communications occur (after the initial end-point mapping) over
port 1024.

-- 
-a

ITS at The University of Texas at Austin

name:	Schley Andrew Kutz, MCSD, GCWN
mail:	a.kutz at its.utexas.edu
work:	512.475.9246

Contributing Editor for:
"Blade Servers and Virtualization: Transforming Enterprise Computing
While Cutting Costs"
http://www.amazon.com/gp/product/0471783951

Please do not hesitate to call or e-mail me if you have any questions or
concerns!  

> -----Original Message-----
> From: unisog-bounces at lists.dshield.org 
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Glenn 
> Forbes Fleming Larratt
> Sent: Wednesday, October 11, 2006 3:56 PM
> To: unisog at lists.sans.org
> Subject: [unisog] Windows Command Prompt in the clear in the network?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Folks,
> 
> Honeypot and honeynet issues aside:
> 
>    - is the presence in the clear of a Windows Command 
> Prompt, from a high
>      TCP source port to a high destination port, *ever*
>      legitimate/normal/to be expected in the Windows world?
> 
>    - if not, is that presence *always* indicate of 
> compromise, or at least
>      of a vulnerability having been exploited?
> 
> We have noted a 1-to-1 correspondence so far between 
> compromised machines in our network and a Command Prompt banner
> 
>      Microsoft Windows {XP,2000}...
> 
> or
> 
>      Microsoft(R) Windows NT...
> 
> appearing in the sample payload of our network flow recorder (QRadar).
> 
> Please reply to me, I will summarize to the list.
> 
> Thanks,
> - --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
> 
> iD8DBQFFLVp2Lyw7nZwiKgQRAiGpAJ0bN59ES9Dbtr4BrR4zaaH/x17RDgCffmF7
> yhOlmTQEKSvRAWrPEtb0Bro=
> =vnyQ
> -----END PGP SIGNATURE-----
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> http://lists.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list