More On Possible Backdoor

J

John Coutts

This is a very vague description, but it *might* indicate the activities
of a mass mailer or proxy. Something along the lines of this here,
maybe:

http://www.theregister.co.uk/content/56/31706.html


Gabriele Neukam

(e-mail address removed)
Click to expand...
****************** REPLY SEPARATER *******************
This was my thought as well, but now I am not so sure. Of the 3 TCP ports
opened on the host machine for listening:

80 - default html
1214 - default KazaA
3136 - unknown

2 are definite KazaA possibles (80 & 1214). 1214 is the SuperNode port that
KazaA opens as a distributed search engine, and KazaA Lite is known to use port
80 to get around port blocking by ISPs (configurable). For downloading
purposes, the latest KazaA will actually search over a range of ports
(1000-3000).

There is however no information available on the use of port 3136, and that is
the one that appears to be the backdoor. It is possible that we have more than
one program at work here, as I have encountered a W2K machine with 3 different
backdoors installed. Needless to say, the machine was very unstable.

J.A. Coutts
Systems Engineer
MantaNet/TravPro
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Need Help to Identify Backdoor Trogan 3
MyDoom Backdoor Useage 2

Top