TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

The TDImon program from Sysinternals at 
http://www.sysinternals.com/tdimon.htm will show you which processes are 
using a particular port.  The program runs on Windows 9x, NT, and 2000 and 
is free - they offer a commercial program for $69 that has additional features.

If you don't have an antivirus program with up-to-date virus definitions 
you should install those immediately, since most will check for common 
trojans.  I noticed some anomalous network connections while installing 
software on someone else's system this weekend.  He had an antivirus 
program, but the virus definitions weren't current.  I updated the 
definitions and found qaz.trojan, which provides a backdoor into the 
system, was on the PC.

The codes you see when you use Escape and the cursor keys are VT100 escape 
codes.  I believe SecureCRT uses a VT100 terminal emulation by 
default.  You can check your terminal emulation by selecting the session, 
then its properties, and then looking at "emulation".  VT100 terminals were 
manufactured by Digital Equipment Corporation (DEC) and it is quite common 
for telnet programs to emulate those terminals and use the escape codes you 
see.  For a list of these escape codes see 
http://atlas.cs.york.ac.uk/Information/VT100.html - essentially all you are 
seeing is the keystrokes echoed back to you.

I don't know of a backdoor program that normally listens on the ports you 
listed, but some of the backdoor trojans have configurable ports, so there 
are many that might possibly be listening on those ports.  Some links 
listing ports trojans commonly listen on are as follows:

http://www.xploiter.com/security/trojanport.html
http://websites.ntl.com/~leo.filos/trojanh.htm
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
http://www.onctek.com/trojanports.html

If you were willing to let someone else scan your system for trojans, you 
could even go to 
http://antivirus.about.com/compute/antivirus/cs/trojansworms/index.htm?iam=d 
pile&terms=trojan+port and select the "Online trojan and port 
scanner".  There is also a site, http://www.hackfix.org/ , to help people 
stay informed about trojan horse programs.

At 02:45 PM 9/8/00 +1000, [EMAIL PROTECTED] wrote:

>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>Hello,
>
>I am reporting a incident, I suspect that a backdoor could have been
>planted on my computer.
>
>I recently scanned my computer and found that a number of ports were listening
>that I dont think should be listening, these ports are:
>
>44333
>17396
>
>When telneting to port 44333 I get the following data (without the quotes):
>"
>��I
>    �    �O�~y&���pY�����`dS�jEF���h,%���7U3�@m�@���g{��h�<��
>"
>
>If I then type in some text and press <enter> I get disconnected from that
>telnet session, I suspect this could be where the intruder is supposed to
>type in a password and then if successful they gain access to my computer.
>
>When I telnet to port 17396 no data shows up at all, just a blank screen.
>I can type as much data as I want and I stay connected.
>
>The telnet client I use it SecureCRT from http://www.vandyke.com/
>
>Local Echo is not enabled, but whenever I type something it IS echoed back
>to me, so obviously the server is echoeing back what I type.
>
>When I press keys such as <Esc>, and the left, right, up, down keys I get
>echoed back things like ^C and ^[[D
>
>I am running Windows NT Server 4.0 with SP6a, Until recently I was also
>running
>a unpatched/updated version of Microsoft Internet Information Server 4.0,
>afew
>days after discovering port 44333 was listening I removed IIS 4.0 from my
>system.
>
>It is possible that one of the widely known exploits for IIS 4.0 was used
>to plant
>a backdoor on my computer. It is also possible that a legitimate program
>that I am
>not aware of is listening on the ports.
>
>I know of some tools for *nix to see what proccess is listening on a given
>port, but
>where can I find these tools for Windows NT Server 4.0? If you know of any
>please let
>me know there names or where I can find them. Thanks.
>
>Does anyone know what to do in a situation like this? I have installed
>ZoneAlarm on
>the 'infected'/'affected' computer and told it to Block Internet Servers so
>hopefully
>no one will be able to connect to me. I have also done other things to make
>sure that
>no one can connect to any ports on my computer. Alas there was still plenty
>of time
>for the intruder to get into my system before I blocked access :(
>
>Any help/responses would be appreciated
>
>Thanks,
>-0-
>
>



Reply via email to