[Dshield] Does 207.115.129.30 ring any bell?

lew001@globetrotter.net lew001 at globetrotter.net
Tue Jan 6 14:11:00 GMT 2004


Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:

1) First, there is some s/w on his system trying to FTP to IP
   address 207.115.129.30. Reverse DNS fails. I googled for this
   IP address, but found nothing. Netstat -n -a showed:

   TCP    <his IP addr>:1356      207.115.129.30:21      SYN_SENT

   Question: anyone have a clue what this might be? What did
   the IP address point to at some point?

   Question: if reverse DNS fails, does this imply that forward
   DNS also failed? Ie. that the IP address is hard-coded in the
   program?

2) Second, his PC was listening on two suspect ports, 5180 and
   1039. There are two possible backdoors here:

   port 5180  progmon   (maybe that was only on localhost:)
   http://securityresponse.symantec.com/avcenter/venc/data/backdoor.peeper.html

   port 1039  adminclient
   http://securityresponse.symantec.com/avcenter/venc/data/backdoor.gapin.html

   However, the task list shows nothing suspicious:
      Explorer       Internat          Netscp         Bttnserv
      Reminder       Instantaccess     Em_exec        Cpqeaui
      Sxgdsenu       Systray           Sandicon       Rnaapp

   Question: are backdoors typically smart enough to hide from
   the task list?

   Question: if I telnet to his PC on one of these ports, will
   I see a command-line interface? With help :-)? Or are backdoor
   interfaces more commonly binary interfaces (ie w GUI clients)?

Wrt "netstat -n -a" output, couple of questions.
When the "local address" is shown as "0.0.0.0:port", does this
mean that connections are accepted from anywhere? When it shows
"127.0.0.1:port", does this mean that only local connections are
accepted? And when it shows a specific IP address, does it mean
that it accepts connections only from that interface?

I will be trying SpyBot S&D for sure on his system.

Thanks,
Pierre Lewis




More information about the list mailing list