something trying to phone home on port 2491 ?

[sumdumguy]

ok guys and gals..
I believe this is the first time that I ever asked for some help and I'm hoping
that someone can shed a little light on what this may be.

First off.. this is not for me.. but came from an online friend that asked if I'd help.

here we go from him..

do you know wtf twixter.net is?
IP=(209.214.105.3)

Been gettin alot of crap spam mails as always to one of my hotmails, and 4-5 a day try and connect to this twister.net site going throu port service port 2491.

FW blocks it everytime, but its a pain in the bum not even knowing what it is.

Ideas?

http://209.214.105.3/ and see the "guess who" message (safe to check i think)

my reply:

are you sure this isn't some "friend" who's yanking your chain ?
and gave this info:
arin says this:
quote:

Search results for: 209.214.105.3


OrgName: BellSouth.net Inc.
OrgID: BELL

NetRange: 209.214.0.0 - 209.215.255.255
CIDR: 209.214.0.0/15
NetName: BELLSNET-BLK4
NetHandle: NET-209-214-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS.BELLSOUTH.NET
NameServer: NS.ATL.BELLSOUTH.NET
NameServer: NS.MIA.BELLSOUTH.NET
NameServer: NS.RDU.BELLSOUTH.NET
Comment:
For Abuse Issues, email abuse@bellsouth.net.
For Subpoena Issues, please email ipadmin@bellsouth.net with "SUBPOENA" in the subject line.
RegDate: 1998-03-19
Updated: 2002-10-31

TechHandle: JG726-ARIN
TechName: Geurin, Joe
TechPhone: +1-404-499-5240
TechEmail: ipadmin@bellsouth.net

AbuseHandle: ABUSE81-ARIN
AbuseName: Abuse Group
AbusePhone: +1-404-986-8151
AbuseEmail: abuse@bellsouth.net

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-404-986-8151
OrgAbuseEmail: abuse@bellsouth.net

OrgTechHandle: JG726-ARIN
OrgTechName: Geurin, Joe
OrgTechPhone: +1-404-499-5240
OrgTechEmail: ipadmin@bellsouth.net

# ARIN Whois database, last updated 2003-02-04 20:00
# Enter ? for additional hints on searching ARIN's Whois database
----------------------------------------------------------------------------

uh.. this may be totally off the wall but do you know a David J Bush ?
http://www.littlegolem.net/jsp/info/....jsp?plid=1607

hehehe nah.. probably not.. wouldn't be that easy..

google doesn't show any results for twixter.net . it has 500 hits for twixter.. and arin doesn't have any record of twixter.. or twixter.net.
but if it's trying to call home.. my best guess is that you have a trojan/backdoor on your box.

acording to this port list at http://www.bosconet.org/pjohnson/por...001to2500.html

it gives :

2491 tcp conclave-cpp Conclave CPP
2491 udp conclave-cpp Conclave CPP

but searching google for Conclave or Conclave CPP didn't turn up anything very enlightening

later on i suggested that if nothing comes to light that he'd have to conact the admin at bellsouth.. but i have doubts that he'll want to do that unless all the other avenues come to a dead end.. I asked him about what trojan scanners he's using ( i know he stays up on his AV dats) but he hasn't responded yet..
I'm hoping that by the time he does check in.. that I'll be able to offer him more info.
(courtesy of you folks)

any thoughts ? suggestions ?

TIA.. sdg..

[aeallison]

Visual Route

Try this program, it helped me during a similar attack I investigated. You can download a free 15 day trial. I hope this helps. Let me know...

[Shrekkie]

Hi Sumdum,

Don't know if you already used this one ? But I always next link, very interesting.

http://www.samspade.org

Let us know...

Greetz,

The only new thing If ound out was his reverse DNS and that he's alive:

[QUOTE]
IP: 209.214.105.3
Ping: 416 ms
Hostname: host-209-214-105-3.bhm.bellsouth.net

Greetz,

[prodikal]

Hmm sounds like a trojan/bot or it could be spyware but all that is on the site is

Guess Who?

so im guessing that it could be some trojan maybe a worm here is my whois query on the domain

[whois.opensrs.net]
Registrant:
gtr inc
3144 Bell Road
Nashville, TN 37214
US

Domain Name: TWIXTER.NET

Administrative Contact:
Smith, Brad jb_4510@hotmail.com
3144 Bell Road
Nashville, TN 37214
US
615-889-4210

Technical Contact:
Smith, Brad jb_4510@hotmail.com
3144 Bell Road
Nashville, TN 37214
US
615-889-4210

sdg did you tell him to scan for trojans virii spyware etc maybe sending Brad Smith an email might resolve why he has something wanting to connect to twixter.net after all he is the registrant of the domain good luck with whatever it is

edit:the port that is wanting to connect to is reserved for Conclave CPP