[Dshield] Does ring any bell?

lew001@globetrotter.net lew001 at globetrotter.net
Tue Jan 6 14:11:00 GMT 2004

Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:

1) First, there is some s/w on his system trying to FTP to IP
   address Reverse DNS fails. I googled for this
   IP address, but found nothing. Netstat -n -a showed:

   TCP    <his IP addr>:1356      SYN_SENT

   Question: anyone have a clue what this might be? What did
   the IP address point to at some point?

   Question: if reverse DNS fails, does this imply that forward
   DNS also failed? Ie. that the IP address is hard-coded in the

2) Second, his PC was listening on two suspect ports, 5180 and
   1039. There are two possible backdoors here:

   port 5180  progmon   (maybe that was only on localhost:)

   port 1039  adminclient

   However, the task list shows nothing suspicious:
      Explorer       Internat          Netscp         Bttnserv
      Reminder       Instantaccess     Em_exec        Cpqeaui
      Sxgdsenu       Systray           Sandicon       Rnaapp

   Question: are backdoors typically smart enough to hide from
   the task list?

   Question: if I telnet to his PC on one of these ports, will
   I see a command-line interface? With help :-)? Or are backdoor
   interfaces more commonly binary interfaces (ie w GUI clients)?

Wrt "netstat -n -a" output, couple of questions.
When the "local address" is shown as "", does this
mean that connections are accepted from anywhere? When it shows
"", does this mean that only local connections are
accepted? And when it shows a specific IP address, does it mean
that it accepts connections only from that interface?

I will be trying SpyBot S&D for sure on his system.

Pierre Lewis

More information about the list mailing list