[Dshield] Does 184.108.40.206 ring any bell?
rginski at co.pinellas.fl.us
Tue Jan 6 17:11:13 GMT 2004
Some of this is repetitious but I'm trying to add to it:
Try to map the "connection" to the "process running" and to the files
responsible for the process on the system. If you locate the files, try
to do a string search on the file(s). Then do a google on the strings.
You may then know what you're dealing with.
>>> lew001 at globetrotter.net 1/6/2004 11:14:21 AM >>>
Thanks for all the pointers/answers.
I tried contacting Genuity's abuse address. We'll see if anything
comes of it. Taking note of http://www.arin.net's tools.
> Daddy's been 0wn3d. That or there is some call home software on the
That's what I fear too.
> > 2) Second, his PC was listening on two suspect ports, 5180 and
> > 1039. There are two possible backdoors here:
> Actually, more than 2. Nothing says the purp used the default
True, the ones I listed just seemed more probable.
> > Question: if I telnet to his PC on one of these ports, will
> > I see a command-line interface?
> Depends on the back door. If its a good one, you'll complete the
> handshake and then it will look like nothing happened because you
> not send the right password, coded info, etc. This is done on purpose
> make tracking the stuff down much harder.
So it probably won't prove anything if I try (unless I do get
a command line I guess).
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list