intrusion

  • Thread starter Thread starter Milos Puchta
  • Start date Start date
M

Milos Puchta

There were many connection to the port 1025 of internal hosts
accordind to the TCPviewer*) in LAN, that is secured by port
blocking only (ports 1-1024). Process tyhat are bound to this
behaviour are either lsass and netservices. The process analyzer*)
can give some detailed more info up to the threads but there is
no information about the process-to-port binding.
Can anyone guess the type of penetration, it seems that the port
80 was attacked originally?

TIA
Milos
*) Sysinternals, the latest versions
 
This may answer some of your questions

http://www.dshield.org/port_report.php?port=1025&recax=1&tarax=2&srcax=2&percent=N&days=4

----- Milos Puchta wrote: ----

There were many connection to the port 1025 of internal host
accordind to the TCPviewer*) in LAN, that is secured by por
blocking only (ports 1-1024). Process tyhat are bound to thi
behaviour are either lsass and netservices. The process analyzer*
can give some detailed more info up to the threads but there i
no information about the process-to-port binding
Can anyone guess the type of penetration, it seems that the por
80 was attacked originally

TI
Milo
*) Sysinternals, the latest version
 
Back
Top