On Tue, Jun 10, 2003 at 01:04:13PM +0200, Pavel Kankovsky wrote: > On Mon, 9 Jun 2003, Jason Alexander wrote: > > > I thought that BugBear.B's backdoor was running on port 1080 > > http://www.idefense.com/public_release/06.05.2003.html > > Yes, it appears to listen on 1080/tcp. > The protocol is something wierd, certainly not HTTP. According to the reference in Vincent's plugin, it's possible to launch a web server on an arbitrary port, so I added the plugin, which now looks for every web server, not only port 81. As for the protocol on port 1080, if anyone has an infected host I'd be happy to write a signature for it. -- Renaud
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 04:43:00 PDT