Security Incidents mailing list archives
Re: Trojan of somesort
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 26 May 2004 09:15:17 -0700 (PDT)
Matt, I'm familiar w/ some of the Trojans/backdoors w/ FTP capability, but can you provide some specific information regarding rootkits that have this capability? Not *nix-based, but for Windows? --- MATT GIBSON <mattgibson () shaw ca> wrote:
Bob the Builder wrote: I am currently doing an investigation into acompromised system.Before pulling the plug I netcatted to asuspicous open port andreceived the following banner: 220 SiGN - FR33-FXP3rs - On Da FUcKiNGC@S£!!!I am presuming this to be the welcome banner fora trojan horse ofsome sort. Has anybody seen this before or doesanybody know anythingabout it or what Trojan this might be?It's issuing a 220 - that's the welcome code forSMTP. >Try sending a HELO or EHLO. If it responds with a 250, >my bet is it's running as an open relay. I'd actually say it's more likely that it's an FTP server, since these are built into many of the latest trojans and rootkits. -Matt
Current thread:
- Trojan of somesort Bob the Builder (May 25)
- Re: Trojan of somesort Greg Bolshaw (May 25)
- Re: Trojan of somesort Brian Eckman (May 25)
- Re: Trojan of somesort Anonymous (May 27)
- RE: Trojan of somesort Rob Shein (May 25)
- Re: Trojan of somesort Andrew Smith (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort Paul Schmehl (May 26)
- <Possible follow-ups>
- Re: Trojan of somesort MATT GIBSON (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort caldcv (May 26)