TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
The TDImon program from Sysinternals at
http://www.sysinternals.com/tdimon.htm will show you which processes are
using a particular port. The program runs on Windows 9x, NT, and 2000 and
is free - they offer a commercial program for $69 that has additional features.
If you don't have an antivirus program with up-to-date virus definitions
you should install those immediately, since most will check for common
trojans. I noticed some anomalous network connections while installing
software on someone else's system this weekend. He had an antivirus
program, but the virus definitions weren't current. I updated the
definitions and found qaz.trojan, which provides a backdoor into the
system, was on the PC.
The codes you see when you use Escape and the cursor keys are VT100 escape
codes. I believe SecureCRT uses a VT100 terminal emulation by
default. You can check your terminal emulation by selecting the session,
then its properties, and then looking at "emulation". VT100 terminals were
manufactured by Digital Equipment Corporation (DEC) and it is quite common
for telnet programs to emulate those terminals and use the escape codes you
see. For a list of these escape codes see
http://atlas.cs.york.ac.uk/Information/VT100.html - essentially all you are
seeing is the keystrokes echoed back to you.
I don't know of a backdoor program that normally listens on the ports you
listed, but some of the backdoor trojans have configurable ports, so there
are many that might possibly be listening on those ports. Some links
listing ports trojans commonly listen on are as follows:
http://www.xploiter.com/security/trojanport.html
http://websites.ntl.com/~leo.filos/trojanh.htm
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
http://www.onctek.com/trojanports.html
If you were willing to let someone else scan your system for trojans, you
could even go to
http://antivirus.about.com/compute/antivirus/cs/trojansworms/index.htm?iam=d
pile&terms=trojan+port and select the "Online trojan and port
scanner". There is also a site, http://www.hackfix.org/ , to help people
stay informed about trojan horse programs.
At 02:45 PM 9/8/00 +1000, [EMAIL PROTECTED] wrote:
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>Hello,
>
>I am reporting a incident, I suspect that a backdoor could have been
>planted on my computer.
>
>I recently scanned my computer and found that a number of ports were listening
>that I dont think should be listening, these ports are:
>
>44333
>17396
>
>When telneting to port 44333 I get the following data (without the quotes):
>"
>��I
> � �O�~y&���pY�����`dS�jEF���h,%���7U3�@m�@���g{��h�<��
>"
>
>If I then type in some text and press <enter> I get disconnected from that
>telnet session, I suspect this could be where the intruder is supposed to
>type in a password and then if successful they gain access to my computer.
>
>When I telnet to port 17396 no data shows up at all, just a blank screen.
>I can type as much data as I want and I stay connected.
>
>The telnet client I use it SecureCRT from http://www.vandyke.com/
>
>Local Echo is not enabled, but whenever I type something it IS echoed back
>to me, so obviously the server is echoeing back what I type.
>
>When I press keys such as <Esc>, and the left, right, up, down keys I get
>echoed back things like ^C and ^[[D
>
>I am running Windows NT Server 4.0 with SP6a, Until recently I was also
>running
>a unpatched/updated version of Microsoft Internet Information Server 4.0,
>afew
>days after discovering port 44333 was listening I removed IIS 4.0 from my
>system.
>
>It is possible that one of the widely known exploits for IIS 4.0 was used
>to plant
>a backdoor on my computer. It is also possible that a legitimate program
>that I am
>not aware of is listening on the ports.
>
>I know of some tools for *nix to see what proccess is listening on a given
>port, but
>where can I find these tools for Windows NT Server 4.0? If you know of any
>please let
>me know there names or where I can find them. Thanks.
>
>Does anyone know what to do in a situation like this? I have installed
>ZoneAlarm on
>the 'infected'/'affected' computer and told it to Block Internet Servers so
>hopefully
>no one will be able to connect to me. I have also done other things to make
>sure that
>no one can connect to any ports on my computer. Alas there was still plenty
>of time
>for the intruder to get into my system before I blocked access :(
>
>Any help/responses would be appreciated
>
>Thanks,
>-0-
>
>