Author Topic: Anyone recognize this?  (Read 3081 times)

0 Members and 1 Guest are viewing this topic.

August 28, 2010, 01:04:03 pm
Read 3081 times

Yossarian

  • Newbie

  • Offline
  • *

  • 9
I'm looking at what I think is a trojaned computer remotely (currently connected via VPN).

I could just knock them off, but I'm trying to discover what this is.

It's a windows computer (NMAP OS ID and the version of the VPN client), but the normal MS ports aren't listening.

Instead, I have servers on 80, 443, 4794, and 27777/tcp.

Amap id's them all as http, but there are no banners or headers.

The 80 and 4794 servers always return a 404 (at least I haven't found a valid path yet). 443 server isn't really SSL (openssl s_client), but I can't get a valid http response either. 27777 server always returns a 200 but never any actual data.

The client itself is trying to hit IP's all over the world on 80 and 443. I can't find the destination IP's on any lists of known malware hosts though. Our default route goes to a black hole internally, so I don't see the actual http transaction - just the SYN's.

Any idea what this might be or how to better id it remotely?




August 29, 2010, 02:49:37 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Could be any number of things. Have you checked with Wireshark?

As for the returns, if you've got access to the server (I presume this is a server you're actually meant to have access to?), why not just check the servers config file?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 29, 2010, 05:19:34 am
Reply #2

Yossarian

  • Newbie

  • Offline
  • *

  • 9
Could be any number of things. Have you checked with Wireshark?

As for the returns, if you've got access to the server (I presume this is a server you're actually meant to have access to?), why not just check the servers config file?

Sorry - probably wasn't very clear before

There's just one machine involved here. It was a VPN client, so I don't have physical access. The usual MS ports aren't listening - so no remote access either.

What is listening on this PC are the 4 ports mentioned above. I'm assuming they are either backdoors or maybe p2p. I was just wondering if this looked familiar to anyone as far as what it might be specifically. The helpdesk has probably talked to the user by now, but I haven't heard the results of any scans.

September 01, 2010, 12:01:20 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
There's several infections that are known to use those (and indeed many others) ports, but without access to either the server, or a pcap, there's no way of determining what it actually is (Pushdo for example, has been seen using 80 and 443 for it's C&C conversations).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net