Security Incidents mailing list archives
Mystery web server trojan(?) on Windows ME
From: Jeremy Anderson <jeremy () is2inc com>
Date: Wed, 20 Jun 2001 18:39:25 -0700 (PDT)
Hi folks, One of my users is running WinME at home. He reported that he thought his home machine had been hacked. Running a portscan on the machine turned up the following: 10.0.0.23 unknown 135/tcp unassigned 10.0.0.23 netbios-ssn 139/tcp # NETBIOS session server 10.0.0.23 unknown 4343/tcp unassigned Attempting to telnet to port 4343 on this machine, I found what appeared to be a small webserver. Here are some samples: ---------------------------------------------------------- GET / HTTP/1.0 HTTP/1.1 400 Bad Request ---------------------------------------------------------- iojgoijtgoij HTTP/1.1 400 Bad Request ---------------------------------------------------------- GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) Host: 10.0.0.23:4343 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1 HTTP/1.1 400 Bad Request ... and so on. Not very revealing. I attempted to run inzider (http://www.ntsecurity.nu) on the machine to find out what was hooked up to this port (expecting a copy of Back Orifice or similar). While I don't have the dump from inzider, there was no process attached to the server. Does this sound familiar to anyone? I have reason to believe it's a stealth backdoor of some sort, but I don't have much information to go on. Thanks in advance. Jeremy Anderson email: jeremy () is2inc com Systems Administrator tel: 425/775.6495 IS-Squared Inc. fax: 425/774.8564
Current thread:
- Mystery web server trojan(?) on Windows ME Jeremy Anderson (Jun 21)
- Re: Mystery web server trojan(?) on Windows ME Chip McClure (Jun 22)
- <Possible follow-ups>
- RE: Mystery web server trojan(?) on Windows ME Vachon, Scott (Jun 24)