SI
SI
discoversearch

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor.  We ask that you disable ad blocking while on Silicon Investor in the best interests of our community.  If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.
Pastimes : Internet Security/Privacy Issues and Solutions
 Public ReplyPrvt ReplyMark as Last ReadFilePrevious 10Next 10PreviousNext  
To: caly who wrote (106)1/3/2001 9:53:41 PM
From: Greg from Edmonton  Read Replies (2) of 210
 
This morning I found some interesting activity. I had installed PortSentry (to monitor incoming connections, port scans, etc.) on my firewall a couple of weeks ago just for kicks, but haven't really configured it yet. Hmm, I think I will increase the priority of that task. I am including a copy of the email I just sent to the administrative contact for the host machine (the names have been omitted to protect the guilty).

EDIT: I am currently scanning all of the remaining TCP ports on this system and am beginning to think that this system is quite heavily 0wned (found an copy of SSH installed on TCP port 7474).


Dear Sir:

Your server 111.222.99.64 appears as though its security may have been compromised.

I have a dial-up firewall (modem server) that I use to connect my internal network to the internet.
I have an internal FTP server mapped from the firewall for the rare times that I may need it. I left my FTP server
running last night, although I very rarely do so. This morning the FTP server log indicated a TCP connect which originated from your machine. This is very unusual activity, to scan dial-up hosts for FTP servers. Curiousity got the better of me, so I decided to investigate further (I am currently seeking a career opportunity in networking and internet security).

Here are the results of my scan.

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Host nightcrawler.breached.com (111.222.99.64) appears to be up ... good.
Initiating SYN half-open stealth scan against nightcrawler.breached.com
(111.222.99.64)
Adding TCP port 80 (state open).
Adding TCP port 22 (state open).
Adding TCP port 21 (state open).
Adding TCP port 1019 (state open).
The SYN scan took 22 seconds to scan 1523 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither
are firewalled
Interesting ports on nightcrawler.breached.com (111.222.99.64):
(The 1519 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
80/tcp open http
1019/tcp open unknown

After some further research I learned that TCP port 1019 likely belongs to
"Xtreme Trojan Horse" as listed here.
hackerwhacker.com

This trojan horse program is also known to run on TCP port 1090.

I am currently researching more about this trojan horse program, what it is and how to remove it.

Please respond via email to confirm receipt of this message as soon as it is received.

Yours Truly,

Greg
Report TOU ViolationShare This Post
 Public ReplyPrvt ReplyMark as Last ReadFilePrevious 10Next 10PreviousNext  

HomeMailHotSubjectMarksPeopleMarksKeepersSettings
Terms Of UseContact UsCopyright/IP PolicyPrivacy PolicyAbout UsFAQAdvertise on SI
© 2025 Knight Sac Media.  Data provided by Twelve Data, Alpha Vantage, and CityFALCON News