[Dshield] Does 188.8.131.52 ring any bell?
Johannes B. Ullrich
jullrich at sans.org
Tue Jan 6 14:58:43 GMT 2004
> Question: anyone have a clue what this might be? What did
> the IP address point to at some point?
sorry. no clue. Looks like a Sprint IP address. There is no
FTP server responding right now.
> Question: if reverse DNS fails, does this imply that forward
> DNS also failed? Ie. that the IP address is hard-coded in the
no. Forward and reverse DNS are separate. Either may work without
> Question: are backdoors typically smart enough to hide from
> the task list?
Some of them are. All depends on the particular backdoor. Most don't
bother with hiding.
> Question: if I telnet to his PC on one of these ports, will
> I see a command-line interface? With help :-)? Or are backdoor
> interfaces more commonly binary interfaces (ie w GUI clients)?
Connecting with telnet (or netcat) is a good start. You may not
see a 'prompt', but the software may identify itself otherwise.
Or you may find that its an IRC/telnet/ftp server listening on that
> Wrt "netstat -n -a" output, couple of questions.
> When the "local address" is shown as "0.0.0.0:port", does this
> mean that connections are accepted from anywhere? When it shows
> "127.0.0.1:port", does this mean that only local connections are
> accepted? And when it shows a specific IP address, does it mean
> that it accepts connections only from that interface?
Listeners on 127.0.0.1 can only accept connections from the machine
itself. If a listener is "bound to" 0.0.0.0, it indicates that it
is listening on all available interfaces.
If you see it bound to a particular (local) ip address, it will
only accept connections if they are send to this particular ip.
> I will be trying SpyBot S&D for sure on his system.
> Pierre Lewis
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040106/56157144/attachment.bin
More information about the list