RE: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028

From: Robert (epicat_private)
Date: Wed Mar 05 2003 - 08:57:33 PST

  • Next message: H C: "Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028"

    What about setting up a sniffer locally, or on the same machine to
    capture the packets, and then trying to piece it together?   My bet is
    that it is another spyware / addware.   Have you been browsing the pr0n
    side of the internet lately?
    
    Robert
    
    -----Original Message-----
    From: Alexandru Balan [mailto:Jayat_private] 
    Sent: Wednesday, March 05, 2003 2:51 AM
    To: Salomao Barguil
    Cc: incidentsat_private
    Subject: Re: Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028
    
    check what you have set as nameserver. girlnextdoor_ might be either a
    result of DNS poisoning or just someone in your network connected to
    your machine's services. The weird part would be that the remote port is
    0. Did you know that you have _all_ of those services running ? 
    
    On Fri, 2003-02-28 at 02:40, Salomao Barguil wrote:
    > Hi, 
    > 
    > Running netstat -a , I found a foreign address
    > "GirlNextDoor_" listening to ports TCP 1025/1028.
    > 
    > Can someone explain me what is going on this desktop ?
    > 
    > It's a Win2k/SP2 workstation with Mcafee antivirus and
    > ZoneAlarm.
    > 
    > Also, can you explain me the second set of
    > connections, foreign address "*:*" ? 
    > 
    > Thanks for your help,
    > Sal.
    > 
    > -------------------------------------------------------
    > Microsoft Windows 2000 [Version 5.00.2195]
    > (C) Copyright 1985-2000 Microsoft Corp.
    > 
    > C:\>netstat -a
    > 
    > Active Connections
    > 
    >   Proto  Local Address          Foreign Address       
    > State
    >   TCP    p4win2k:epmap          Girlnextdoor_:0       
    > LISTENING
    >   TCP    p4win2k:microsoft-ds   Girlnextdoor_:0       
    > LISTENING
    >   TCP    p4win2k:1025           Girlnextdoor_:0       
    > LISTENING
    >   TCP    p4win2k:1028           Girlnextdoor_:0       
    > LISTENING
    >   TCP    p4win2k:netbios-ssn    Girlnextdoor_:0       
    > LISTENING
    >   UDP    p4win2k:epmap          *:*
    >   UDP    p4win2k:microsoft-ds   *:*
    >   UDP    p4win2k:1027           *:*
    >   UDP    p4win2k:1030           *:*
    >   UDP    p4win2k:netbios-ns     *:*
    >   UDP    p4win2k:netbios-dgm    *:*
    >   UDP    p4win2k:isakmp         *:*
    > 
    > C:\>
    > -------------------------------------------------------
    > 
    > __________________________________________________
    > Do you Yahoo!?
    > Yahoo! Tax Center - forms, calculators, tips, more
    > http://taxes.yahoo.com/
    > 
    >
    ------------------------------------------------------------------------
    ----
    > 
    > <Pre>Lose another weekend managing your IDS?
    > Take back your personal time.
    > 15-day free trial of StillSecure Border Guard.</Pre>
    > <A href="http://www.securityfocus.com/stillsecure">
    http://www.securityfocus.com/stillsecure </A>
    > 
    -- 
    The Virgin BOFH...
    Linux Registered User #288905
    Public GnuPG Key B760A432 available at
    http://www.ines.ro/public_keys/jay.gpg
    
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    



    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 14:23:47 PST