Yeah! Stand there and risk come confidential data being compromised! Monitor and Capture them stealing our customer info! Then try and get it back!
Come on man. It's a pen-test, and there are NDA's in order. Don't take the chance. On 9/28/07, Joel R. Helgeson <[EMAIL PROTECTED]> wrote: > > I disagree, don't block access to the port. Monitor and capture it. > > > > Joel's First rule of forensics: Don't just do something, stand there! > > > > Watch it, monitor it. If it is a crafty backdoor, there are dozens of > others to enable bad guys to regain entry. > > Blocking lets the hacker know you might be on to them. IF it is legit, > then it could cause a problem. > > Telnet to the port, see what it says on connection; run fport or > sysinternals utilities on the box to see the stack the program uses. > > > > -joel > > > > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *Fabrizio > *Sent:* Friday, September 28, 2007 1:31 PM > *To:* Full-Disclosure > *Subject:* Re: [Full-disclosure] .NET REMOTING on port 31337 > > > > If you think it's that critical, (i think it's that critical) start by > blocking any connections from anywhere to that machine/port. See if anyone > complains. Check any old firewall logs for that port while you're at it. > Then continue your investigation!! > > Fabrizio > > On 9/28/07, *Simon Smith* <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Got output... and it was... no idea what it was... can't paste it due to > confidentiality though. > > Fabrizio wrote: > > .NET Remoting is "a generic system for different applications to use to > > communicate with one another." It's part of the .NET framework, > > obviously. (not trying to be a smart ass) > > > > I'm gonna take a wild guess and say it's not a good thing...... > > > > Connect to it, and see if you get any output, if you haven't already > > done so. > > > > Fabrizio > > > > > > > > On 9/28/07, * Simon Smith* < [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > > > Has anyone ever heard of .NET REMOTING running on port 31337? If so, > > have you ever seen it "legitimate"? > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > <http://lists.grok.org.uk/full-disclosure-charter.html> > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > ------------------------------------------------------------------------ > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > - -- > > - - simon > > - ---------------------- > http://www.snosoft.com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > > iD8DBQFG/UY+f3Elv1PhzXgRAs/BAJ42Vwk5+cvWfoYo4wUl74LDnUtz7wCgzW9s > O/+SDoZYgZ1r1oDjKpKzZIo= > =n54j > -----END PGP SIGNATURE----- > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
