[Dshield] Does 126.96.36.199 ring any bell?
DoShelp at DoShelp.com
Tue Jan 6 14:16:49 GMT 2004
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of lew001 at globetrotter.net
Sent: Tuesday, January 06, 2004 9:11 AM
To: list at dshield.org
Subject: [Dshield] Does 188.8.131.52 ring any bell?
Over the holidays, I had a look at my dad's PC (Compaq, Win98).
He had been complaining of significant slowdowns. We did a few
usual things (such as cleaning up, defragmenting). But I also ran
"netstat -n -a" on his system and saw a few strange things:
1) First, there is some s/w on his system trying to FTP to IP
address 184.108.40.206. Reverse DNS fails. I googled for this
IP address, but found nothing. Netstat -n -a showed:
TCP <his IP addr>:1356 220.127.116.11:21 SYN_SENT
Question: anyone have a clue what this might be? What did
the IP address point to at some point?
Question: if reverse DNS fails, does this imply that forward
DNS also failed? Ie. that the IP address is hard-coded in the
2) Second, his PC was listening on two suspect ports, 5180 and
1039. There are two possible backdoors here:
port 5180 progmon (maybe that was only on localhost:)
port 1039 adminclient
However, the task list shows nothing suspicious:
Explorer Internat Netscp Bttnserv
Reminder Instantaccess Em_exec Cpqeaui
Sxgdsenu Systray Sandicon Rnaapp
Question: are backdoors typically smart enough to hide from
the task list?
Question: if I telnet to his PC on one of these ports, will
I see a command-line interface? With help :-)? Or are backdoor
interfaces more commonly binary interfaces (ie w GUI clients)?
Wrt "netstat -n -a" output, couple of questions.
When the "local address" is shown as "0.0.0.0:port", does this
mean that connections are accepted from anywhere? When it shows
"127.0.0.1:port", does this mean that only local connections are
accepted? And when it shows a specific IP address, does it mean
that it accepts connections only from that interface?
I will be trying SpyBot S&D for sure on his system.
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
I looked the IP up at http://www.arin.net and found the following:
[Query: 18.104.22.168, Server: whois.arin.net]
Address: 225 Presidential Way
NetRange: 22.214.171.124 - 126.96.36.199
NetType: Direct Allocation
TechName: Soulia, Cindy
TechEmail: csoulia at genuity.com
OrgAbuseEmail: abuse at genuity.com
OrgNOCEmail: ops at genuity.net
OrgTechName: Soulia, Cindy
OrgTechEmail: csoulia at genuity.com
OrgTechName: ARIN Contact
OrgTechEmail: arin-contact at genuity.com
OrgTechName: ADMIN POC LVLT
OrgTechEmail: ipaddressing at level3.com
# ARIN WHOIS database, last updated 2004-01-05 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
[End of Data]
More information about the list