[Dshield] Sobig.F and Telnet Server

John Sage jsage at finchhaven.com
Sun Aug 24 16:30:36 GMT 2003

I'm confused about what it is you're describing, here, but I'm not
convinced that it's without some possible interest...

On Sat, Aug 23, 2003 at 10:31:32PM -0600, Daniel Otis-Vigil wrote:
> On my test machine I noticed this behavior:
> TCP              LISTENING

So netstat -an shows this listening?

> and when I connected it showed:

And you connected to port 11797 by what means?

Telnet? What?

And when you did, you received this response:

> Welcome to Microsoft Telnet Client
> Escape Character is 'CTRL+]'
> Microsoft Telnet>
> and then opened this port:

And then *what* opened this port?

You did? With what? Did netstat -an show this now being open?

What? You're losing me..

> UDP      *:*

UDP:995 is a port SoBig supposedly opens a listener on...

> So far other than this I have only seen a few attempts to connect to NTP 
> services.

NTP? Network Time Protocol?

This ntp?

ntp   123/tcp
ntp   123/udp         # Network Time Protocol

What relationship does this have to what you posted, above?

At this point, you've lost me completely...

- John
"Warning: time of day goes back, taking countermeasures."

More information about the list mailing list