[Dshield] Does 207.115.129.30 ring any bell?

Pierre Lewis lew001 at globetrotter.net
Tue Jan 6 16:14:21 GMT 2004


Folks,

Thanks for all the pointers/answers.

I tried contacting Genuity's abuse address. We'll see if anything
comes of it. Taking note of http://www.arin.net's tools.

> Daddy's been 0wn3d. That or there is some call home software on the box

That's what I fear too.

> > 2) Second, his PC was listening on two suspect ports, 5180 and
> >    1039. There are two possible backdoors here:
>
> Actually, more than 2. Nothing says the purp used the default listening
> port.

True, the ones I listed just seemed more probable.

> >    Question: if I telnet to his PC on one of these ports, will
> >    I see a command-line interface?
>
> Depends on the back door. If its a good one, you'll complete the
> handshake and then it will look like nothing happened because you did
> not send the right password, coded info, etc. This is done on purpose to
> make tracking the stuff down much harder.

So it probably won't prove anything if I try (unless I do get
a command line I guess).

Thanks,
Pierre




More information about the list mailing list