[Dshield] Does 220.127.116.11 ring any bell?
lew001 at globetrotter.net
Tue Jan 6 16:14:21 GMT 2004
Thanks for all the pointers/answers.
I tried contacting Genuity's abuse address. We'll see if anything
comes of it. Taking note of http://www.arin.net's tools.
> Daddy's been 0wn3d. That or there is some call home software on the box
That's what I fear too.
> > 2) Second, his PC was listening on two suspect ports, 5180 and
> > 1039. There are two possible backdoors here:
> Actually, more than 2. Nothing says the purp used the default listening
True, the ones I listed just seemed more probable.
> > Question: if I telnet to his PC on one of these ports, will
> > I see a command-line interface?
> Depends on the back door. If its a good one, you'll complete the
> handshake and then it will look like nothing happened because you did
> not send the right password, coded info, etc. This is done on purpose to
> make tracking the stuff down much harder.
So it probably won't prove anything if I try (unless I do get
a command line I guess).
More information about the list