| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5d80962a0709281147v1dc0a152j5ca77ca0b832afc3@mail.gmail.com>
Date: Fri, 28 Sep 2007 14:47:21 -0400
From: Fabrizio <staticrez@...il.com>
To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: .NET REMOTING on port 31337
Yeah! Stand there and risk come confidential data being compromised! Monitor
and Capture them stealing our customer info! Then try and get it back!
Come on man. It's a pen-test, and there are NDA's in order. Don't take the
chance.
On 9/28/07, Joel R. Helgeson <joel@...geson.com> wrote:
>
> I disagree, don't block access to the port. Monitor and capture it.
>
>
>
> Joel's First rule of forensics: Don't just do something, stand there!
>
>
>
> Watch it, monitor it. If it is a crafty backdoor, there are dozens of
> others to enable bad guys to regain entry.
>
> Blocking lets the hacker know you might be on to them. IF it is legit,
> then it could cause a problem.
>
> Telnet to the port, see what it says on connection; run fport or
> sysinternals utilities on the box to see the stack the program uses.
>
>
>
> -joel
>
>
>
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Fabrizio
> *Sent:* Friday, September 28, 2007 1:31 PM
> *To:* Full-Disclosure
> *Subject:* Re: [Full-disclosure] .NET REMOTING on port 31337
>
>
>
> If you think it's that critical, (i think it's that critical) start by
> blocking any connections from anywhere to that machine/port. See if anyone
> complains. Check any old firewall logs for that port while you're at it.
> Then continue your investigation!!
>
> Fabrizio
>
> On 9/28/07, *Simon Smith* <simon@...soft.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Got output... and it was... no idea what it was... can't paste it due to
> confidentiality though.
>
> Fabrizio wrote:
> > .NET Remoting is "a generic system for different applications to use to
> > communicate with one another." It's part of the .NET framework,
> > obviously. (not trying to be a smart ass)
> >
> > I'm gonna take a wild guess and say it's not a good thing......
> >
> > Connect to it, and see if you get any output, if you haven't already
> > done so.
> >
> > Fabrizio
> >
> >
> >
> > On 9/28/07, * Simon Smith* < simon@...soft.com
> > <mailto:simon@...soft.com>> wrote:
> >
> >
> > Has anyone ever heard of .NET REMOTING running on port 31337? If so,
> > have you ever seen it "legitimate"?
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> <http://lists.grok.org.uk/full-disclosure-charter.html>
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> > ------------------------------------------------------------------------
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> - --
>
> - - simon
>
> - ----------------------
> http://www.snosoft.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iD8DBQFG/UY+f3Elv1PhzXgRAs/BAJ42Vwk5+cvWfoYo4wUl74LDnUtz7wCgzW9s
> O/+SDoZYgZ1r1oDjKpKzZIo=
> =n54j
> -----END PGP SIGNATURE-----
>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists