Need Help to Identify Backdoor Trogan

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

One of our csutomers machines appears to have been infected with a backdoor
trojan. It appears to somehow be related to Kaza (or clone). When the customer
starts downloading music files, it opens the following ports:

80 - default HTML port
1214 - Default Kaza port
3136 - Unknown

Port 3136 appears to be the Backdoor. As soon as the customer connects to the
Internet, he will start to receive requests from Malaysia [219.95.211.1] on
this port. Subsequently, a connection is made to port 80 from [207.171.63.33],
and shortly thereafter the system starts spewing out unidentifiable info to a
large number of addresses on various ports.

Neither port 80 or port 3136 respond to a Telnet command. Has anyone
experienced this type of behaviour?

J.A. Coutts
Systems Engineer
MantaNet/TravPro
 
John Coutts said:
One of our csutomers machines appears to have been infected with a backdoor
trojan. It appears to somehow be related to Kaza (or clone). When the customer
starts downloading music files, it opens the following ports:

80 - default HTML port
1214 - Default Kaza port
3136 - Unknown

Port 3136 appears to be the Backdoor. As soon as the customer connects to the
Internet, he will start to receive requests from Malaysia [219.95.211.1] on
this port. Subsequently, a connection is made to port 80 from [207.171.63.33],
and shortly thereafter the system starts spewing out unidentifiable info to a
large number of addresses on various ports.

Neither port 80 or port 3136 respond to a Telnet command. Has anyone
experienced this type of behaviour?
Click to expand...

Some p2p service software may use the client's machines to
help distribute any updated version that is made available.
Maybe some other clients are obtaining the *new* version
that is on your customers machine.
 
A search on the Internet reveals the following ports are used by P2P software:

KaZaA (1214, 1285, 1299, 1331,1337, 3135, 3136 and 3137)
Napster (6699, 8875, 8876, 8888)
Gnutella (6346, 6347)
WinMX Windows client for Napster (6257, 6699)

Unfortunately, there does not seem to be any information on how these ports are
used (except for 1214). Blocking of port 3136 to this machine seems to have
solved the high volume problem for the moment.
****************** SEPARATER ******************
 
On that special day, John Coutts, ([email protected]) said...
As soon as the customer connects to the
Internet, he will start to receive requests from Malaysia [219.95.211.1] on
this port. Subsequently, a connection is made to port 80 from [207.171.63.33],
and shortly thereafter the system starts spewing out unidentifiable info to a
large number of addresses on various ports.
Click to expand...

This is a very vague description, but it *might* indicate the activities
of a mass mailer or proxy. Something along the lines of this here,
maybe:

http://www.theregister.co.uk/content/56/31706.html


Gabriele Neukam

(e-mail address removed)
 
Back
Top