I'm looking at what I think is a trojaned computer remotely (currently connected via VPN).
I could just knock them off, but I'm trying to discover what this is.
It's a windows computer (NMAP OS ID and the version of the VPN client), but the normal MS ports aren't listening.
Instead, I have servers on 80, 443, 4794, and 27777/tcp.
Amap id's them all as http, but there are no banners or headers.
The 80 and 4794 servers always return a 404 (at least I haven't found a valid path yet). 443 server isn't really SSL (openssl s_client), but I can't get a valid http response either. 27777 server always returns a 200 but never any actual data.
The client itself is trying to hit IP's all over the world on 80 and 443. I can't find the destination IP's on any lists of known malware hosts though. Our default route goes to a black hole internally, so I don't see the actual http transaction - just the SYN's.
Any idea what this might be or how to better id it remotely?