Security Incidents mailing list archives

Re: Trojan of somesort

From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 26 May 2004 09:15:17 -0700 (PDT)

Matt,

I'm familiar w/ some of the Trojans/backdoors w/ FTP
capability, but can you provide some specific
information regarding rootkits that have this
capability?  Not *nix-based, but for Windows?


--- MATT GIBSON <mattgibson () shaw ca> wrote:

Bob the Builder wrote:
I am currently doing an investigation into a

compromised system.

Before pulling the plug I netcatted to a

suspicous open port and

received the following banner:
         220 SiGN - FR33-FXP3rs - On Da FUcKiNG

C@SÂ£!!!

I am presuming this to be the welcome banner for

a trojan horse of

some sort. Has anybody seen this before or does

anybody know anything

about it or what Trojan this might be?

It's issuing a 220 - that's the welcome code for

SMTP. >Try sending a HELO or EHLO. If it responds
with a 250, >my bet is it's running as an open
relay.

I'd actually say it's more likely that it's an FTP
server, since these are built into many of the
latest trojans and rootkits.

-Matt

Current thread:

Trojan of somesort Bob the Builder (May 25)
- Re: Trojan of somesort Greg Bolshaw (May 25)
- Re: Trojan of somesort Brian Eckman (May 25)
  - Re: Trojan of somesort Anonymous (May 27)
- RE: Trojan of somesort Rob Shein (May 25)
- Re: Trojan of somesort Andrew Smith (May 26)
- Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort Paul Schmehl (May 26)
- <Possible follow-ups>
- Re: Trojan of somesort MATT GIBSON (May 26)
  - Re: Trojan of somesort Harlan Carvey (May 26)
- Re: Trojan of somesort caldcv (May 26)