I'd like to add that for checking the NT box' open ports you might want to try TCPView from www.sysinternal.com - nice free tools that will show all open connections/ports. Maybe it's useful for you. Erwin --- michael.ryan@storm.ie wrote:
I'd have a look at the services and processes running on the NT box to see whether there is anything unusual/suspicious. Also, you could run a virus scan to check whether any trojans have infected the machine (given that it's a mail server)
Regards, Michael
[...]
Hi!
One of our out customer's internet proxy/firewall receives UDP broadcasts (several per minute) from one of their internal servers:
Oct 31 12:31:52 proxy01 kernel: Packet log: InLog - eth0 PROTO=17 192.168.1.2:4537 255.255.255.255:6666 L=61 S=0x00 I=56516 F=0x0000 T=128 (#1)
192.168.1.2 is an NT server that's currently only used as a mail server - no active users; is this probably a trojan, or could this be Yet Another Windows Feature(tm)?
(According to various info websites the trojans "Dark Connection Inside" and "Netbus" use this port...)
Regards, Martin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com