[Dshield] Does 207.115.129.30 ring any bell?

Richard Ginski rginski at co.pinellas.fl.us
Tue Jan 6 17:11:13 GMT 2004


Some of this is repetitious but I'm trying to add to it:

Try to map the "connection" to the "process running" and to the files
responsible for the process on the system. If you locate the files, try
to do a string search on the file(s). Then do a google on the strings.
You may then know what you're dealing with.

>>> lew001 at globetrotter.net 1/6/2004 11:14:21 AM >>>
Folks,

Thanks for all the pointers/answers.

I tried contacting Genuity's abuse address. We'll see if anything
comes of it. Taking note of http://www.arin.net's tools.

> Daddy's been 0wn3d. That or there is some call home software on the
box

That's what I fear too.

> > 2) Second, his PC was listening on two suspect ports, 5180 and
> >    1039. There are two possible backdoors here:
>
> Actually, more than 2. Nothing says the purp used the default
listening
> port.

True, the ones I listed just seemed more probable.

> >    Question: if I telnet to his PC on one of these ports, will
> >    I see a command-line interface?
>
> Depends on the back door. If its a good one, you'll complete the
> handshake and then it will look like nothing happened because you
did
> not send the right password, coded info, etc. This is done on purpose
to
> make tracking the stuff down much harder.

So it probably won't prove anything if I try (unless I do get
a command line I guess).

Thanks,
Pierre

_______________________________________________
list mailing list
list at dshield.org 
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list