Netbus, what would you do.

Hi Guys,
thought i'd post this i would like to get an over view of what you people here at AO would do.

I'm running a fire wall which has recently recorded a couple of inbound tcp connection attemps.
Using tds3 i did an interigation of the recorded ip address and found that netbus was running on port 12345. Within tds3 you have a tcp connect utility, so i made a connection to port 12345 on the remote machine this showed me netbus 1.7x password protected. Now within tds3 you have the ability to disinfect the remote machine. However that would require nowing the password.

The question i would like to ask is what people here would do with this information, crack the password and disinfect, report to the network abuse department ? whatever?

Is this a home computer or one at work? Either way I would simply disconnect the system from the network and "clean" it. If you really must get the password then run a packet sniffer watching that particular port and IP. WHo ever installed it is bound to log into it.

I think you miss understand me, i'm on a home pc, netbus is on a remote machine. I was obviously being scanned for a netbus server, Which i have not got.

If this machine isn't yours... which I think it isn't (because you're seeing it inbound) I'd send an email to the admin of whoevers network of the attacking machine and notify the of the time, date, ip and activity. Sometimes emails go ignored... so a phone call would also work... if you don't mind paying tolls. You can do a whois on the network and find out if they have a toll free number for you to call too.

It is possible that the user of the infected machine doesn't even know he has it on there... Or it could be some s.kiddie too. I've never used netbus... so I'm not sure of how the trojan works. (wheather there is a client/server in one, or if the client/server are separate.)

I would not try to crack the password because you would be doing just as much trouble as the other person is. I'm not sure about your laws... but I know several places have "hack back" laws that prohibit this type of activity.

Just be happy that your firewall is blocking it and he isn't going to get your network. Report them with the usual info, and let the ISP take care of it... (notifying the user, monitoring for suspicious activity, etc.)

This is the sort of feedback i was looking for what peoples ethical views on hack back are.
Thanks phishphreek80, what you suggest is what my own instink is to do.

Come on guys lets here some arguments for other caurses of action.

If I am reading this right, you have tracked back the computer that was scanning you for netbus. If that is the case, you have the IP address. Armed with that info., I think it's best you stay out of trouble, don't try a 'hack-back' by cracking the password. With the IP address, determine his/her ISP. Bundle up all the evidence you have (logs, etc.) of the attack/scan and send it to the abuse@isp.com.

This is the smart way to go, it is the legal course of action.


Cheers:

Quote:

---

Originally posted here by DjM
If I am reading this right, you have tracked back the computer that was scanning you for netbus. If that is the case, you have the IP address. Armed with that info., I think it's best you stay out of trouble, don't try a 'hack-back' by cracking the password. With the IP address, determine his/her ISP. Bundle up all the evidence you have (logs, etc.) of the attack/scan and send it to the abuse@isp.com.

This is the smart way to go, it is the legal course of action.


Cheers:

---

The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.

Quote:

---

Come on guys lets here some arguments for other caurses of action.

---

Quote:

---

The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.

---

Right, so if you did decide to crack their password you could invite more problems.

Not only did you break into their computer... can you prove that you didn't put it there?

What if that person reports you, and your ISP suspends you account? Then you have to go looking for another ISP.

At least reporting it to the ISP will give them a chance to find out what is going on. They know who the user is, and they won't tell you. They can decide if the user is doing something malicious, or if they've been owned... if they're infected, the ISP can advise them to take care of it.

Quote:

---

Originally posted here by CXGJarrod


The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.

---

True CXGJarrod, but buy doing this (reporting the attack to the ISP), you are not breaking any laws, you are stopping (well trying to stop) the attack and you are alerting the ISP to a problem. I still believe this is the course to follow.

Cheers:

If you have his ip you can also send him/her a "net send" message and let them know they are infected. You can also ask them to contact you for more info. If this person has a firewall net send will be blocked but I doubt that because this netbus trojan is out in the open.
May have to repeat this a couple of times and see what happens, if nothing happens you can send a complaint to his/her isp.

Quote:

---

Originally posted here by jinxy


I'm running a fire wall which has recently recorded a couple of inbound tcp connection attemps.
Using tds3 i did an interigation of the recorded ip address and found that netbus was running on port 12345.

---

And you also said you were scanned for a netbus server? So his connection tried to hit you on port 12345?

NetBus is not a virus it is a trojan. There are actually 2 programs associated with netbus a client and a server.
Unless somehow NetBus has been incorporated into a new virus which I doubt since every antivirus program has 1.7 in its sigs for quite a few years.

You have no right to disinfect as you say but I do not think you can even do this. It would be the same as brute forcing a remote password so I hope you have several super computers and a few years. Not only that but I know people who use netbus as there remote administration. This was a few years ago. Netbus was actually one of the pioneers of remote administration. So the guy may be using it on purpose.

Or the guy could be infected and the 'evil' user is scanning for other netbus servers from the clinet to hide his true ip. Either way you cant go into someones computer without there consent.

I agree with CXGJarrod, the person scanning you is probably the person who put netbus on the computer (I know that's not what you said CXGJarrod, that's my opinion expanding on yours) given that they have remote access to that computer. I don't know about netbus and what you can do with it, for all I know you can't do a scan from a remote computer with netbus. The person who actually owns the computer probably has no clue what is going on. I would send them an email saying that you recorded a scan from their ip, and inform them that they have the trojan netbus on their computer. Then tell them if it was not them scanning they need to uninstall netbus and secure their computer (actually they need to do that regardless). Then say if it happens again you will contact their isp.

S3cur|ty4ng31 makes a couple of really good points. Not unless some dumba** was playing with NetBus and infected themselves and then tried to scan you for it. I had a friend of mine a long time ago that accidently SubSeven'd himself. It was rather entertaining.

You all make a good case for not attempting to hack back which is what i expected. I would report the incident to abuse@isp but in this case i cant find it, none of the whois's that i have tried have shown up any info. The ip locator here at AO shows the location as Milton, New South Wales, Australia. Thats as much info as i have been able to get.

Having interigated the ip address again to day netbus is no longer showing up, so either netbus has been removed from the machine or the machine that was infected has been given another ip address.

So i guess thats about all i can do at the moment. Thanks for the feed back anyway.