Security Incidents mailing list archives
Re: Trojan of somesort
From: MATT GIBSON <mattgibson () shaw ca>
Date: Tue, 25 May 2004 15:25:16 -0700
Bob the Builder wrote: I am currently doing an investigation into a compromised system. Before pulling the plug I netcatted to a suspicous open port and received the following banner: 220 SiGN - FR33-FXP3rs - On Da FUcKiNG C@S£!!! I am presuming this to be the welcome banner for a trojan horse of some sort. Has anybody seen this before or does anybody know anything about it or what Trojan this might be?
It's issuing a 220 - that's the welcome code for SMTP. >Try sending a HELO or EHLO. If it responds with a 250, >my bet is it's running as an open relay.
I'd actually say it's more likely that it's an FTP server, since these are built into many of the latest trojans and rootkits. -Matt
Current thread:
- Trojan of somesort Bob the Builder (May 25)
- Re: Trojan of somesort Greg Bolshaw (May 25)
- Re: Trojan of somesort Brian Eckman (May 25)
- Re: Trojan of somesort Anonymous (May 27)
- RE: Trojan of somesort Rob Shein (May 25)
- Re: Trojan of somesort Andrew Smith (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort Paul Schmehl (May 26)
- <Possible follow-ups>
- Re: Trojan of somesort MATT GIBSON (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort caldcv (May 26)