[Dshield] Does ring any bell?

Chris Brenton cbrenton at chrisbrenton.org
Tue Jan 6 15:16:13 GMT 2004

On Tue, 2004-01-06 at 09:11, lew001 at globetrotter.net wrote:
> 1) First, there is some s/w on his system trying to FTP to IP
>    address

Danger Will Robinson, DANGER! ;-)

This could be a pain to track down on his system because tools like
fport don't work on Win98. You could just start killing processes till
it goes away. 

>  Reverse DNS fails. I googled for this
>    IP address, but found nothing. Netstat -n -a showed:
>    TCP    <his IP addr>:1356      SYN_SENT

Good! Looks like the remote host is not replying (SYN sent but no
reply). I'm guessing he has a root kit or something worse.

>    Question: anyone have a clue what this might be?

Daddy's been 0wn3d. That or there is some call home software on the box
(I'm guessing not because there is no PTR or direct reserve for the IP).
Either way, its worth digging deeper.

>  What did the IP address point to at some point?

At the very least, an FTP server. I guessing its a box some kiddie took
over and it has since been pulled from the wire.

>    Question: if reverse DNS fails, does this imply that forward
>    DNS also failed? Ie. that the IP address is hard-coded in the
>    program?

No. You can have an "A" record (host to IP resolution) without having a
"PTR" record (IP to host resolution). This IP is part of Genuity, if
that is any help. It does not appear to be active at this time.

> 2) Second, his PC was listening on two suspect ports, 5180 and
>    1039. There are two possible backdoors here:

Actually, more than 2. Nothing says the purp used the default listening

>    port 5180  progmon   (maybe that was only on localhost:)

If its only localhost that is listening, I doubt its a back door. You
can only reach the port from the local system.

>    port 1039  adminclient

This could also be an RPC port.

>    However, the task list shows nothing suspicious:

To be honest, this does not tell you anything. You don't show where the
binary was loaded from (many backdoor use the same file name but load it
from an alternate location). You should also consider performing an
integrity check of the files to ensure they are the files you think they
are (i.e., didn't get replaced by a root kit).

At the very least, snag a copy of msconfig and see what is being loaded
and from where.

>    Question: are backdoors typically smart enough to hide from
>    the task list?

Absolutely! You are not running Linux from floppy, its "Windows" which
means you have a whole lot more loaded into memory than just the 12 or
so files you displayed. The task list does not display these files. Not
a big deal to setup a back door the same way. 

>    Question: if I telnet to his PC on one of these ports, will
>    I see a command-line interface?

Depends on the back door. If its a good one, you'll complete the
handshake and then it will look like nothing happened because you did
not send the right password, coded info, etc. This is done on purpose to
make tracking the stuff down much harder.

> Wrt "netstat -n -a" output, couple of questions.
> When the "local address" is shown as "", does this
> mean that connections are accepted from anywhere?

Yes. Looks like he has a dial-up interface on this system so even when
that gets kicked off the port will be bound, listening, and accepting
network connections.

>  When it shows
> "", does this mean that only local connections are
> accepted?


>  And when it shows a specific IP address, does it mean
> that it accepts connections only from that interface?

That's the idea, but it does not always work this way. I remember in the
old Linux days you could connect to the second interface even if netstat
did not show the port listening. Might be the same with older Windows,
it might not. You would have to test it.

> I will be trying SpyBot S&D for sure on his system.

Good idea!

More information about the list mailing list