[Dshield] Sobig.F and Telnet Server

John Sage jsage at finchhaven.com
Sun Aug 24 16:30:36 GMT 2003


I'm confused about what it is you're describing, here, but I'm not
convinced that it's without some possible interest...

On Sat, Aug 23, 2003 at 10:31:32PM -0600, Daniel Otis-Vigil wrote:
> On my test machine I noticed this behavior:
> 
> TCP    192.168.1.34:11797     0.0.0.0:0              LISTENING

So netstat -an shows this listening?

> and when I connected it showed:

And you connected to 192.168.1.34 port 11797 by what means?

Telnet? What?

And when you did, you received this response:

> Welcome to Microsoft Telnet Client
> 
> Escape Character is 'CTRL+]'
> 
> 
> Microsoft Telnet>
> 
> and then opened this port:

And then *what* opened this port?

You did? With what? Did netstat -an show this now being open?

What? You're losing me..

> UDP    192.168.1.34:9995      *:*

UDP:995 is a port SoBig supposedly opens a listener on...

> So far other than this I have only seen a few attempts to connect to NTP 
> services.

NTP? Network Time Protocol?

This ntp?

ntp   123/tcp
ntp   123/udp         # Network Time Protocol

What relationship does this have to what you posted, above?


At this point, you've lost me completely...


- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list