More On Possible Backdoor

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

This is a very vague description, but it *might* indicate the activities
of a mass mailer or proxy. Something along the lines of this here,
maybe:

http://www.theregister.co.uk/content/56/31706.html


Gabriele Neukam

(e-mail address removed)
****************** REPLY SEPARATER *******************
This was my thought as well, but now I am not so sure. Of the 3 TCP ports
opened on the host machine for listening:

80 - default html
1214 - default KazaA
3136 - unknown

2 are definite KazaA possibles (80 & 1214). 1214 is the SuperNode port that
KazaA opens as a distributed search engine, and KazaA Lite is known to use port
80 to get around port blocking by ISPs (configurable). For downloading
purposes, the latest KazaA will actually search over a range of ports
(1000-3000).

There is however no information available on the use of port 3136, and that is
the one that appears to be the backdoor. It is possible that we have more than
one program at work here, as I have encountered a W2K machine with 3 different
backdoors installed. Needless to say, the machine was very unstable.

J.A. Coutts
Systems Engineer
MantaNet/TravPro
 
Back
Top