GSO Full Disclosure Archives: [Full-Disclosure] Scans for IPSwit

From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Date: Tue Feb 24 2004 - 11:19:52 EST

Dear full-disclosure@lists.netsys.com,

Information was received from Kaspersky Labs, there is increased
activity on TCP/389 (LDAP) port. Analysis of captured packet
demonstrates attempt to exploit IPSwitch IMail LDAP vulnerability.
Packet contains universal reverse shell shellcode. Trojan is installed
on owned host (listens on TCP/21 and pretends to be wu-ftpd).

Best solution is to filter TCP/389.

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Received on Tue Feb 24 12:51:20 2004

This archive was generated by hypermail 2.1.8 : Tue Feb 24 2004 - 13:01:03 EST

[Full-Disclosure] Scans for IPSwitch IMail LDAP vuilnerability