TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hello,
I am reporting a incident, I suspect that a backdoor could have been
planted on my computer.
I recently scanned my computer and found that a number of ports were listening
that I dont think should be listening, these ports are:
44333
17396
When telneting to port 44333 I get the following data (without the quotes):
"
��I
� �O�~y&���pY�����`dS�jEF���h,%���7U3�@m�@���g{��h�<��
"
If I then type in some text and press <enter> I get disconnected from that
telnet session, I suspect this could be where the intruder is supposed to
type in a password and then if successful they gain access to my computer.
When I telnet to port 17396 no data shows up at all, just a blank screen.
I can type as much data as I want and I stay connected.
The telnet client I use it SecureCRT from http://www.vandyke.com/
Local Echo is not enabled, but whenever I type something it IS echoed back
to me, so obviously the server is echoeing back what I type.
When I press keys such as <Esc>, and the left, right, up, down keys I get
echoed back things like ^C and ^[[D
I am running Windows NT Server 4.0 with SP6a, Until recently I was also
running
a unpatched/updated version of Microsoft Internet Information Server 4.0,
afew
days after discovering port 44333 was listening I removed IIS 4.0 from my
system.
It is possible that one of the widely known exploits for IIS 4.0 was used
to plant
a backdoor on my computer. It is also possible that a legitimate program
that I am
not aware of is listening on the ports.
I know of some tools for *nix to see what proccess is listening on a given
port, but
where can I find these tools for Windows NT Server 4.0? If you know of any
please let
me know there names or where I can find them. Thanks.
Does anyone know what to do in a situation like this? I have installed
ZoneAlarm on
the 'infected'/'affected' computer and told it to Block Internet Servers so
hopefully
no one will be able to connect to me. I have also done other things to make
sure that
no one can connect to any ports on my computer. Alas there was still plenty
of time
for the intruder to get into my system before I blocked access :(
Any help/responses would be appreciated
Thanks,
-0-
