On Tuesday 19 August 2003 02:39 am, Jeff Kell wrote: > Ken Dunham wrote: > > It opens TCP port 707. doesn't sound nice to me. > > This is the bothersome part. If it keeps a shell bound to 707 then it > is definitely malicious, despite the sugar coating. Port 707 is not opened as a shell; it's the port the soon-to-be-infected machines connect back to on the infecting host in order to receive the commands that will complete their infection - in other words: a reverse shell. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 20:51:31 PDT