[Dshield] Does 184.108.40.206 ring any bell?
lew001 at globetrotter.net
Tue Jan 6 14:11:00 GMT 2004
Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:
1) First, there is some s/w on his system trying to FTP to IP
address 220.127.116.11. Reverse DNS fails. I googled for this
IP address, but found nothing. Netstat -n -a showed:
TCP <his IP addr>:1356 18.104.22.168:21 SYN_SENT
Question: anyone have a clue what this might be? What did
the IP address point to at some point?
Question: if reverse DNS fails, does this imply that forward
DNS also failed? Ie. that the IP address is hard-coded in the
2) Second, his PC was listening on two suspect ports, 5180 and
1039. There are two possible backdoors here:
port 5180 progmon (maybe that was only on localhost:)
port 1039 adminclient
However, the task list shows nothing suspicious:
Explorer Internat Netscp Bttnserv
Reminder Instantaccess Em_exec Cpqeaui
Sxgdsenu Systray Sandicon Rnaapp
Question: are backdoors typically smart enough to hide from
the task list?
Question: if I telnet to his PC on one of these ports, will
I see a command-line interface? With help :-)? Or are backdoor
interfaces more commonly binary interfaces (ie w GUI clients)?
Wrt "netstat -n -a" output, couple of questions.
When the "local address" is shown as "0.0.0.0:port", does this
mean that connections are accepted from anywhere? When it shows
"127.0.0.1:port", does this mean that only local connections are
accepted? And when it shows a specific IP address, does it mean
that it accepts connections only from that interface?
I will be trying SpyBot S&D for sure on his system.
More information about the list