Most trojans are awfully sparse on response information if you don't authenticate to them properly. I don't think such a tool exists, and if it did, I think it would only spot a few of the many possible trojans out there. A long shot might be to check out which well-known trojans are easily reconfigured to use different ports (like BO2K) and do a quick check for those. Otherwise, it's entirely possible that the trojan has been slightly rewritten to make it remotely unidentifiable anyways. -----Original Message----- From: Discussion Lists [mailto:discussionsat_private] Sent: Monday, April 28, 2003 6:06 PM To: Eric; pen-testat_private Subject: RE: Scanning for trojans Thanks, but in my case I don't have local access to the machine, so it would be helpful to find a way to identify it remotely. I am beginning if such an animal actually exists? Thanks > -----Original Message----- > From: Eric [mailto:ewsat_private] > Sent: Monday, April 28, 2003 2:26 PM > To: Discussion Lists; pen-testat_private > Subject: Re: Scanning for trojans > > > map the open port back to the executable that launched it. > > ...Microsoft specific advice... > If on Win2K, use fport from foundstone. If XP, try fport, or > do netstat > -on and map the PID back to the executable. > > At 10:19 AM 4/27/2003 -0700, Discussion Lists wrote: > >Hi all, > >I have discovered what I believe is a trojan on a port that is a > >non-standard port for that particular trojan, but I want to > narrow down > >the possibilities of what it could be. Can anyone suggest a trojan > >scanner that can detect a trojan by simply scanning for open > ports, and > >connecting? > > > >Thanks > > > >------------------------------------------------------------- > ---------- > >---- > >Attend Black Hat Briefings & Training Europe, May 12-15 in > Amsterdam, the > >world's premier event for IT and network security experts. > The two-day > >Training features 6 hand-on courses on May 12-13 taught by > professionals. > >The two-day Briefings on May 14-15 features 24 top speakers > with no vendor > >sales pitches. Deadline for the best rates is April 25. > Register today to > >ensure your place. http://www.securityfocus.com/BlackHat-pen-test > >------------------------------------------------------------- > --------------- > > > --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 08:05:23 PDT