SANS: Rootkit Findings

A reader who wishes to remain anonymous sent us a nice write-up of findings uncovered while investigating an intrusion. Below is the entire note, minus identifying details.

I got caught out by the recent MailEnable buffer overflow vulnerability by a few hours. I'd been running the patch in pre-live for a few days for testing but was too slow in getting the live server patched unfortunately.

The rootkit seemed to be running 2 ServU deamons one on port 43958 and the other on port 1050 using an SSL connection. There were a host of other ports opened by the rootkit and I couldn't figure out what they were for... The server I had to fix is 200 miles away so it was all done via a remote desktop connection.
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Linked by shanmuga Saturday, 15th April 2006 12:35AM