[unisog] Windows Command Prompt in the clear in the network?

Gary Flynn flynngn at jmu.edu
Thu Oct 12 12:57:18 GMT 2006

Glenn Forbes Fleming Larratt wrote:
> Hash: SHA1
> Folks,
> Honeypot and honeynet issues aside:
>    - is the presence in the clear of a Windows Command Prompt, from a high
>      TCP source port to a high destination port, *ever*
>      legitimate/normal/to be expected in the Windows world?
>    - if not, is that presence *always* indicate of compromise, or at least
>      of a vulnerability having been exploited?

Our Juniper IDP has been configured since March with a locally
written signature to block such sessions. We have not seen any
false positives but we also haven't seen any hits on the
signature. The latter may be partially due to our default deny
inbound Internet policy making such servers on the majority of
comptuers inaccessible from the Internet. Or maybe I just didn't
write the signature well. :)

Gary Flynn
Security Engineer
James Madison University

More information about the unisog mailing list