[Dshield] Does 220.127.116.11 ring any bell?
mbruyere at ezemcanada.com
Tue Jan 6 14:50:48 GMT 2004
See within Quote
> Question: anyone have a clue what this might be? What did
> the IP address point to at some point?
As for the IP I don't have any clue but you should use a program that maps
the process to each open connection, so you can get the file that is running
this particular connection. Active Port can do that but I think it's not
supported for Win98.
> Question: if reverse DNS fails, does this imply that forward
> DNS also failed? Ie. that the IP address is hard-coded in the
You could look in your dns cache to see if there is an entry for it. I can't
remember what the command is under 98, anyone?
> Question: are backdoors typically smart enough to hide from
> the task list?
Yes that's the first thing they do, hide themselves.
> Question: if I telnet to his PC on one of these ports, will
> I see a command-line interface? With help :-)? Or are backdoor
> interfaces more commonly binary interfaces (ie w GUI clients)?
> Wrt "netstat -n -a" output, couple of questions.
> When the "local address" is shown as "0.0.0.0:port", does this
> mean that connections are accepted from anywhere? When it shows
> "127.0.0.1:port", does this mean that only local connections are
> accepted? And when it shows a specific IP address, does it mean
> that it accepts connections only from that interface?
> I will be trying SpyBot S&D for sure on his system.
I would suggest to use TDS-3 too, From the www.diamondcs.com
If it was my PC I would simply format it and reinstall.
> Pierre Lewis
More information about the list