[Dshield] I no longer need sobig.F

John D. lists at webcrunchers.com
Wed Aug 20 04:09:40 GMT 2003


>Everybody who helped out, thanks!  I have the right kind of tcpdumps that 
>answer the needed questions I had. 

If you can give me any information on the TCPIP communication protocols,  
let me know.   I'm hoping we can detect it's presence remotely,  and eventually catch the person controlling it.

http://www.lurhq.com/sobig.html  has all the port nummbers it uses,  and
the other proxies it has,  and the port numbers they use.   

Can't we just port scan some infected PC and identify if it's listening?
Of course this would have to be done when the PC is in use.

John





More information about the list mailing list