Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : Internet Security/Privacy Issues and Solutions -- Ignore unavailable to you. Want to Upgrade?

To: Greg from Edmonton who wrote (107)	1/3/2001 10:03:15 PM
From: Greg from Edmonton	Respond to of 210

I stumbled across this link when I was searching for info on the "Xtreme" trojan horse and figured that I should share it with the members of this thread. netspy.net This URL offers various patches and fixes for common Trojan Horse programs. But the really cool part is that this page also offers an on-line test for netbus, and WinNuke vulnerability (similar to the on-line port probe offered at the grc.com website).

To: Greg from Edmonton who wrote (107)	1/3/2001 11:55:02 PM
From: Greg from Edmonton	Read Replies (1) \| Respond to of 210

Yep, me thinks this box is pretty much rooted... Notice the TCP banners at the bottom of the scan. Two different versions of SSH, and one of them is on a high port (7474). Doesn't look too good... It bothers me a bit that I couldn't seem to find any information about the "Xtreme" trojan horse, other than that it is typically found on ports 1019 or 1090. Anybody else have any suggestions where else I might look? I've been almost everywhere I know already (various search engines, cert.org, securityfocus.com, etc. etc.). Information about "Xtreme" seems to be quite obscure, compared with Windows-based trojans like NetBus or BackOrifice which have lots of info about them. Nmap's best guess reports that the host system seems to be running Linux kernel 2.2 or thereabouts. D:\>fscan -bvpr 21,22,80,1019,1090,4675,7474 111.222.99.64 -d 100 FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. foundstone.com Adding TCP port 21 Adding TCP port 22 Adding TCP port 80 Adding TCP port 1019 Adding TCP port 1090 Adding TCP port 4675 Adding TCP port 7474 Adding IP 111.222.99.64 Using 64 threads. Connect timeout set to 600 ms. Ping timeout set to 500 ms. Scan delay set to 100 ms. Banner grabbing enabled. Scan started at Wed Jan 03 21:31:22 2001 Scanning TCP ports on 111.222.99.64 111.222.99.64 21/tcp 220 nightcrawler.breached.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.[0D][0A] 111.222.99.64 22/tcp SSH-1.99-OpenSSH_2.2.0p1[0A] 111.222.99.64 7474/tcp SSH-1.5-1.2.27[0A] 111.222.99.64 80/tcp 111.222.99.64 1019/tcp Scan finished at Wed Jan 03 21:31:24 2001 Time taken: 7 ports in 1.531 secs (4.57 ports/sec)