Yeah! Stand there and risk come confidential data being compromised!
Monitor and Capture them stealing our customer info! Then try and get it back!<br><br>Come on man. It's a pen-test, and there are NDA's in order. Don't take the chance.
<br><br><div><span class="gmail_quote">On 9/28/07, <b class="gmail_sendername">Joel R. Helgeson</b> <<a href="mailto:joel@helgeson.com">joel@helgeson.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I disagree, don't block access to the port. Monitor and capture
it.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Joel's First rule of forensics: Don't just do something, stand
there!</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Watch it, monitor it. If it is a crafty backdoor, there are
dozens of others to enable bad guys to regain entry.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Blocking lets the hacker know you might be on to them. IF it is
legit, then it could cause a problem.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Telnet to the port, see what it says on connection; run fport or
sysinternals utilities on the box to see the stack the program uses.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">-joel</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:full-disclosure-bounces@lists.grok.org.uk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">full-disclosure-bounces@lists.grok.org.uk
</a>
[mailto:<a href="mailto:full-disclosure-bounces@lists.grok.org.uk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">full-disclosure-bounces@lists.grok.org.uk</a>] <b>On Behalf Of </b>Fabrizio<br>
<b>Sent:</b> Friday, September 28, 2007 1:31 PM<br>
<b>To:</b> Full-Disclosure<br>
<b>Subject:</b> Re: [Full-disclosure] .NET REMOTING on port 31337</span></p>
</div><div><span class="e" id="q_1154d69b54750ed0_1">
<p> </p>
<p style="margin-bottom: 12pt;">If you think it's that
critical, (i think it's that critical) start by blocking any connections from
anywhere to that machine/port. See if anyone complains. Check any old firewall
logs for that port while you're at it. Then continue your investigation!! <br>
<br>
Fabrizio</p>
<div>
<p><span>On 9/28/07, <b>Simon Smith</b> <<a href="mailto:simon@snosoft.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">simon@snosoft.com</a>> wrote:</span></p>
<p>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Got output... and it was... no idea what it was... can't paste it due to<br>
confidentiality though.<br>
<br>
Fabrizio wrote:<br>
> .NET Remoting is "a generic system for different applications to use
to <br>
> communicate with one another." It's part of the .NET framework,<br>
> obviously. (not trying to be a smart ass)<br>
><br>
> I'm gonna take a wild guess and say it's not a good thing......<br>
><br>
> Connect to it, and see if you get any output, if you haven't already<br>
> done so.<br>
><br>
> Fabrizio<br>
><br>
><br>
><br>
> On 9/28/07, * Simon Smith* <<a href="mailto:simon@snosoft.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
simon@snosoft.com</a><br>
> <mailto:<a href="mailto:simon@snosoft.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">simon@snosoft.com</a>>>
wrote:<br>
><br>
><br>
> Has anyone ever heard of .NET REMOTING running on port 31337? If so,<br>
> have you ever seen it "legitimate"? <br>
><br>
><br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>
<<a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.grok.org.uk/full-disclosure-charter.html</a>><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://secunia.com/
</a><br>
<br>
<br>
<br>
> ------------------------------------------------------------------------<br>
<br>
> _______________________________________________<br>
> Full-Disclosure - We believe in it.<br>
> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
> Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://secunia.com/</a><br>
<br>
<br>
- --<br>
<br>
- - simon<br>
<br>
- ----------------------<br>
<a href="http://www.snosoft.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.snosoft.com</a><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.5 (Darwin)<br>
<br>
iD8DBQFG/UY+f3Elv1PhzXgRAs/BAJ42Vwk5+cvWfoYo4wUl74LDnUtz7wCgzW9s<br>
O/+SDoZYgZ1r1oDjKpKzZIo= <br>
=n54j<br>
-----END PGP SIGNATURE-----</p>
</div>
<p> </p>
</span></div></div>
</div>
</blockquote></div><br>