Can anyone identify this possible backdoor?

From: Greg Owen (gowen-incidents_at_swynwyr.com)
Date: 08/22/03

Next message: Vinny Bedus: "Trojan?"

Previous message: Marcel Thraenhardt: "Re: ICMP port 2048 scans"
Next in thread: Greg Owen: "Re: Can anyone identify this possible backdoor?"
Reply: Greg Owen: "Re: Can anyone identify this possible backdoor?"
Maybe reply: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?"
Maybe reply: Andrew McKnight: "RE: Can anyone identify this possible backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Aug 2003 11:18:04 -0400 (EDT)
To: incidents@securityfocus.com

Investigating a machine which is spewing SoBig.F and may be compromised,
I'm seeing the following response on port 2001/tcp:

% nc 192.168.5.89 2001

<
> Unrecognized command or Invalid argument received
% nc 192.168.5.89 2001
helo
<helo> Unrecognized command or Invalid argument received
%

Google doesn't uncover anything with that error string, and there are more
possible uses for port 2001 than a dog has fleas. Does anyone recognize
what this listener might be?

I don't have physical access to the box, unfortunately, as that would make
this much easier to ID.

-- 
	gowen -- Greg Owen -- gowen-incidents@swynwyr.com
	79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Vinny Bedus: "Trojan?"

Previous message: Marcel Thraenhardt: "Re: ICMP port 2048 scans"
Next in thread: Greg Owen: "Re: Can anyone identify this possible backdoor?"
Reply: Greg Owen: "Re: Can anyone identify this possible backdoor?"
Maybe reply: Schmehl, Paul L: "RE: Can anyone identify this possible backdoor?"
Maybe reply: Andrew McKnight: "RE: Can anyone identify this possible backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Strange Pix message
... Leading up to the CPU message was a sequence of UDP port scans on port 135 ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
(Incidents)
RE: Physical Computer Location
... If you are running switches capable of port security turn of port ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
(Security-Basics)
Outgoing connections to ports 22226 and 22227
... Over the past couple days I've noticed an increase in outgoing connections ... All outbound connections are triggered via inbound conections to port 139 ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
(Incidents)
RE: Physical Computer Location
... Port Security. ... These computers are on a network, so presumably they have network cards. ... Modeled after the famous Black Hat event in ...
(Security-Basics)
Re: ICMP port 2048 scans
... >sources asking for a connection to port 2048. ... The ICMP Protocol doesn't ... It took me some time to figure out these connections ... Symantec is the Diamond sponsor. ...
(Incidents)