[Dshield] Does ring any bell?

Troy Billington DoShelp at DoShelp.com
Tue Jan 6 14:16:49 GMT 2004

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of lew001 at globetrotter.net
Sent: Tuesday, January 06, 2004 9:11 AM
To: list at dshield.org
Subject: [Dshield] Does ring any bell?

Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:

1) First, there is some s/w on his system trying to FTP to IP
   address Reverse DNS fails. I googled for this
   IP address, but found nothing. Netstat -n -a showed:

   TCP    <his IP addr>:1356      SYN_SENT

   Question: anyone have a clue what this might be? What did
   the IP address point to at some point?

   Question: if reverse DNS fails, does this imply that forward
   DNS also failed? Ie. that the IP address is hard-coded in the

2) Second, his PC was listening on two suspect ports, 5180 and
   1039. There are two possible backdoors here:

   port 5180  progmon   (maybe that was only on localhost:)


   port 1039  adminclient


   However, the task list shows nothing suspicious:
      Explorer       Internat          Netscp         Bttnserv
      Reminder       Instantaccess     Em_exec        Cpqeaui
      Sxgdsenu       Systray           Sandicon       Rnaapp

   Question: are backdoors typically smart enough to hide from
   the task list?

   Question: if I telnet to his PC on one of these ports, will
   I see a command-line interface? With help :-)? Or are backdoor
   interfaces more commonly binary interfaces (ie w GUI clients)?

Wrt "netstat -n -a" output, couple of questions.
When the "local address" is shown as "", does this
mean that connections are accepted from anywhere? When it shows
"", does this mean that only local connections are
accepted? And when it shows a specific IP address, does it mean
that it accepts connections only from that interface?

I will be trying SpyBot S&D for sure on his system.

Pierre Lewis

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:


I looked the IP up at http://www.arin.net and found the following:

[Query:, Server: whois.arin.net]

OrgName:    Genuity
OrgID:      GNTY
Address:    Genuity
Address:    225 Presidential Way
City:       Woburn
StateProv:  MA
PostalCode: 01888
Country:    US

NetRange: -
NetName:    GNTY-207-115
NetHandle:  NET-207-115-128-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Allocation
Updated:    2003-01-24

TechHandle: CS15-ARIN
TechName:   Soulia, Cindy
TechPhone:  +1-800-436-8489
TechEmail:  csoulia at genuity.com

OrgAbuseHandle: ABUSE23-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-800-436-8489
OrgAbuseEmail:  abuse at genuity.com

OrgNOCHandle: NOC119-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-800-436-8489
OrgNOCEmail:  ops at genuity.net

OrgTechHandle: CS15-ARIN
OrgTechName:   Soulia, Cindy
OrgTechPhone:  +1-800-436-8489
OrgTechEmail:  csoulia at genuity.com

OrgTechHandle: ARINC4-ARIN
OrgTechName:   ARIN Contact
OrgTechPhone:  +1-800-436-8489
OrgTechEmail:  arin-contact at genuity.com

OrgTechHandle: APL7-ARIN
OrgTechPhone:  +1-877-453-8353
OrgTechEmail:  ipaddressing at level3.com

# ARIN WHOIS database, last updated 2004-01-05 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

[End of Data]

More information about the list mailing list