[Dshield] Does 207.115.129.30 ring any bell?

Troy Billington DoShelp at DoShelp.com
Tue Jan 6 14:16:49 GMT 2004



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of lew001 at globetrotter.net
Sent: Tuesday, January 06, 2004 9:11 AM
To: list at dshield.org
Subject: [Dshield] Does 207.115.129.30 ring any bell?


Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:

1) First, there is some s/w on his system trying to FTP to IP
   address 207.115.129.30. Reverse DNS fails. I googled for this
   IP address, but found nothing. Netstat -n -a showed:

   TCP    <his IP addr>:1356      207.115.129.30:21      SYN_SENT

   Question: anyone have a clue what this might be? What did
   the IP address point to at some point?

   Question: if reverse DNS fails, does this imply that forward
   DNS also failed? Ie. that the IP address is hard-coded in the
   program?

2) Second, his PC was listening on two suspect ports, 5180 and
   1039. There are two possible backdoors here:

   port 5180  progmon   (maybe that was only on localhost:)

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.peeper.html

   port 1039  adminclient

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.gapin.html

   However, the task list shows nothing suspicious:
      Explorer       Internat          Netscp         Bttnserv
      Reminder       Instantaccess     Em_exec        Cpqeaui
      Sxgdsenu       Systray           Sandicon       Rnaapp

   Question: are backdoors typically smart enough to hide from
   the task list?

   Question: if I telnet to his PC on one of these ports, will
   I see a command-line interface? With help :-)? Or are backdoor
   interfaces more commonly binary interfaces (ie w GUI clients)?

Wrt "netstat -n -a" output, couple of questions.
When the "local address" is shown as "0.0.0.0:port", does this
mean that connections are accepted from anywhere? When it shows
"127.0.0.1:port", does this mean that only local connections are
accepted? And when it shows a specific IP address, does it mean
that it accepts connections only from that interface?

I will be trying SpyBot S&D for sure on his system.

Thanks,
Pierre Lewis

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
----------------------------------------------------------------------------
-------------------------------

Pierre,

I looked the IP up at http://www.arin.net and found the following:

[Query: 207.115.129.30, Server: whois.arin.net]


OrgName:    Genuity
OrgID:      GNTY
Address:    Genuity
Address:    225 Presidential Way
City:       Woburn
StateProv:  MA
PostalCode: 01888
Country:    US

NetRange:   207.115.128.0 - 207.115.255.255
CIDR:       207.115.128.0/17
NetName:    GNTY-207-115
NetHandle:  NET-207-115-128-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Allocation
NameServer: DNSAUTH1.SYS.GTEI.NET
NameServer: DNSAUTH2.SYS.GTEI.NET
NameServer: DNSAUTH3.SYS.GTEI.NET
Comment:
RegDate:
Updated:    2003-01-24

TechHandle: CS15-ARIN
TechName:   Soulia, Cindy
TechPhone:  +1-800-436-8489
TechEmail:  csoulia at genuity.com

OrgAbuseHandle: ABUSE23-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-800-436-8489
OrgAbuseEmail:  abuse at genuity.com

OrgNOCHandle: NOC119-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-800-436-8489
OrgNOCEmail:  ops at genuity.net

OrgTechHandle: CS15-ARIN
OrgTechName:   Soulia, Cindy
OrgTechPhone:  +1-800-436-8489
OrgTechEmail:  csoulia at genuity.com

OrgTechHandle: ARINC4-ARIN
OrgTechName:   ARIN Contact
OrgTechPhone:  +1-800-436-8489
OrgTechEmail:  arin-contact at genuity.com

OrgTechHandle: APL7-ARIN
OrgTechName:   ADMIN POC LVLT
OrgTechPhone:  +1-877-453-8353
OrgTechEmail:  ipaddressing at level3.com

# ARIN WHOIS database, last updated 2004-01-05 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

[End of Data]





More information about the list mailing list