Hi folks, One of my users is running WinME at home. He reported that he thought his home machine had been hacked. Running a portscan on the machine turned up the following: 10.0.0.23 unknown 135/tcp unassigned 10.0.0.23 netbios-ssn 139/tcp # NETBIOS session server 10.0.0.23 unknown 4343/tcp unassigned Attempting to telnet to port 4343 on this machine, I found what appeared to be a small webserver. Here are some samples: ---------------------------------------------------------- GET / HTTP/1.0 HTTP/1.1 400 Bad Request ---------------------------------------------------------- iojgoijtgoij HTTP/1.1 400 Bad Request ---------------------------------------------------------- GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) Host: 10.0.0.23:4343 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1 HTTP/1.1 400 Bad Request ... and so on. Not very revealing. I attempted to run inzider (http://www.ntsecurity.nu) on the machine to find out what was hooked up to this port (expecting a copy of Back Orifice or similar). While I don't have the dump from inzider, there was no process attached to the server. Does this sound familiar to anyone? I have reason to believe it's a stealth backdoor of some sort, but I don't have much information to go on. Thanks in advance. Jeremy Anderson email: jeremyat_private Systems Administrator tel: 425/775.6495 IS-Squared Inc. fax: 425/774.8564
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 10:32:23 PDT