[Dshield] Does 207.115.129.30 ring any bell?

Bruyere, Michel mbruyere at ezemcanada.com
Tue Jan 6 14:50:48 GMT 2004



See within Quote




> 
>    Question: anyone have a clue what this might be? What did
>    the IP address point to at some point?

As for the IP I don't have any clue but you should use a program that maps
the process to each open connection, so you can get the file that is running
this particular connection. Active Port can do that but I think it's not
supported for Win98. 


> 
>    Question: if reverse DNS fails, does this imply that forward
>    DNS also failed? Ie. that the IP address is hard-coded in the
>    program?

You could look in your dns cache to see if there is an entry for it. I can't
remember what the command is under 98, anyone?

> 
>    Question: are backdoors typically smart enough to hide from
>    the task list?
> 

Yes that's the first thing they do, hide themselves.

>    Question: if I telnet to his PC on one of these ports, will
>    I see a command-line interface? With help :-)? Or are backdoor
>    interfaces more commonly binary interfaces (ie w GUI clients)?
> 
> Wrt "netstat -n -a" output, couple of questions.
> When the "local address" is shown as "0.0.0.0:port", does this
> mean that connections are accepted from anywhere? When it shows
> "127.0.0.1:port", does this mean that only local connections are
> accepted? And when it shows a specific IP address, does it mean
> that it accepts connections only from that interface?
> 
> I will be trying SpyBot S&D for sure on his system.
> 

I would suggest to use TDS-3 too, From the www.diamondcs.com

If it was my PC I would simply format it and reinstall.

> Thanks,
> Pierre Lewis
> 

My 0.02$
M.Bruyere




More information about the list mailing list