[Dshield] Does ring any bell?

jayjwa jayjwa at atr2.ath.cx
Tue Jan 6 21:46:54 GMT 2004

On Tue, 6 Jan 2004 lew001 at globetrotter.net wrote:

> Subject: [Dshield] Does ring any bell?

Yes, I've seen "level3.com" pop-up before. If I'm not mistaken, one of the
included address hard-coded into SoBig.F was a level3.com address too (not
to imply this is SoBig, which it isn't, by the looks of it...)

Assuming Windows: Updated virus scan, Spyware check, tighten up the fw.
New, clean install if you suspect you might've missed something.

Probably a trojan, possibly a rootkit, IMO. Rootkits are designed
specially to hide stuff used in break-ins. You can read more at
http://www.rootkit.nl (Linux/Unix oriented, but same things applly).
Less likely a back-door spawning virus/worm, but still it's possible.

If you ever have ?'s about a suspicious port, just go to a search engine
(I prefer google myself) and enter it as a search, like this:  "port 1234"
9 out 10 times it'll have something tasty for you, or at least a good lead

>    Question: if I telnet to his PC on one of these ports, will
>    I see a command-line interface? With help :-)? Or are backdoor
>    interfaces more commonly binary interfaces (ie w GUI clients)?

If it's a shell binded to the port, but most likely nothing resembling a
command interface. Windows trojans typically are accessed from a "client",
which can connect to the "server"- what is hidden on the victim's system,
usually as an innocent-looking process and file. Many times these trojans
will modify the "run" or "run-once" keys of HKLM in the registry to make
sure they get run on each boot up. Unix or Linux backdoors are typically
just shells binded to ports, or started up from inet/xinetd by a line
secretly inserted there.

It shouldn't be too hard to recover, good luck.

[jayjwa] RLF#37

More information about the list mailing list