RE: Can anyone identify this possible backdoor?

From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 08/26/03

  • Next message: Logan Rogers-Follis - TNTNetworx.net: "Re: ICMP port 2048 scans" 
    Date: Tue, 26 Aug 2003 10:15:38 -0500
To: <incidents@securityfocus.com>

    > -----Original Message-----
    > From: Greg Owen [mailto:gowen-incidents@swynwyr.com]
    > Sent: Saturday, August 23, 2003 7:51 PM
    > To: incidents@securityfocus.com
    > Subject: Re: Can anyone identify this possible backdoor?
    >
    > Sorry, I should have been a bit more explicit.
    >
    > 1) The command line above 'nc 192.168.5.89 2001' is me investigating,
    > not anything running on or printed by the victim machine.
    > Netcat may or
    > may not be in use on the victim machine, but that's not
    > really my point;
    > I'm wondering what is sending back the error message here
    > (and it isn't
    > netcat, I've grepped the source).
    >
    > 2) The first time I connected, I hit 'return', at which point
    > whatever
    > is listening printed "<\n> Unrecognized command or Invalid argument
    > received" where \n was an actual CRLF.

    Have you tried typing "help" at the prompt? Or "?"?

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Logan Rogers-Follis - TNTNetworx.net: "Re: ICMP port 2048 scans"