[Dshield] Does 207.115.129.30 ring any bell?

Johannes B. Ullrich jullrich at sans.org
Tue Jan 6 14:58:43 GMT 2004


>    Question: anyone have a clue what this might be? What did
>    the IP address point to at some point?

sorry. no clue. Looks like a Sprint IP address. There is no
FTP server responding right now.

>    Question: if reverse DNS fails, does this imply that forward
>    DNS also failed? Ie. that the IP address is hard-coded in the
>    program?

no. Forward and reverse DNS are separate. Either may work without
the other. 


>    Question: are backdoors typically smart enough to hide from
>    the task list?

Some of them are. All depends on the particular backdoor. Most don't
bother with hiding.

> 
>    Question: if I telnet to his PC on one of these ports, will
>    I see a command-line interface? With help :-)? Or are backdoor
>    interfaces more commonly binary interfaces (ie w GUI clients)?

Connecting with telnet (or netcat) is a good start. You may not
see a 'prompt', but the software may identify itself otherwise.
Or you may find that its an IRC/telnet/ftp server listening on that
port.

> Wrt "netstat -n -a" output, couple of questions.
> When the "local address" is shown as "0.0.0.0:port", does this
> mean that connections are accepted from anywhere? When it shows
> "127.0.0.1:port", does this mean that only local connections are
> accepted? And when it shows a specific IP address, does it mean
> that it accepts connections only from that interface?

Listeners on 127.0.0.1 can only accept connections from the machine
itself. If a listener is "bound to" 0.0.0.0, it indicates that it
is listening on all available interfaces.

If you see it bound to a particular (local) ip address, it will
only accept connections if they are send to this particular ip.




> 
> I will be trying SpyBot S&D for sure on his system.
> 
> Thanks,
> Pierre Lewis
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040106/56157144/attachment.bin


More information about the list mailing list