[Dshield] Port 901, being used by trojan/virus

Philip S. Hempel pshempel at linuxhardcore.com
Sat Oct 4 11:50:00 GMT 2003

Hello all, I have not subscribed to the list yet (I am on way to many at
the moment).

I wanted to point out that if anyone cares to know, port 901 is being
used by some form of trojan/virus and is not being shown as one in the
dshield reports.

I can tell you that the trojan/virus itself scans for open ports of
other machines on port 901, it is a telnet interface and requires
password only to login.

The trojan has been around since early last year and seems to have
become more and more prevalent in the pass few months.

I have forgotten the login prompt that is being used but it is somewhat
of a "c00l" type of prompt.

I do remember port 901 having a report on some other website, I will
have to look it up and post it later.


More information about the list mailing list