ultor trojaner
Results 1 to 9 of 9

Thread: ultor trojaner

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    119

    Question ultor trojaner

    hi everybody,

    i work for a small company(10 linux server and 20win2k clients) and the internal network is protected with a firewall.today i scanned this host and i got these:

    starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    > (The 1596 ports scanned but not shown below are in state: closed)
    > Port State Service
    > 22/tcp filtered ssh
    > 23/tcp filtered telnet
    > 24/tcp filtered priv-mail
    > 25/tcp filtered smtp
    > 1234/tcp open hotline
    > Remote operating system guess: Linux 2.1.19 - 2.2.20

    i was wondering about the 1234 port.
    i found out that the ultor trojaner uses this port.
    i'm not sure about that is it a big problem or not??
    any help or recommendations are appreciate ,
    cheers,
    dieterle81
    the only thing that doesn\'t change is everything will always change.

  2. #2
    Senior Member
    Join Date
    Dec 2002
    Posts
    127
    Hey there.
    I googled for hotline and that port and i came up with this site.
    http://www.westernlug.org/mail-archi...ry/006467.html
    Hope it helps.

    madseel
    The only four things i need are food, water, a computer, and the internet.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    119
    i looked as well but i got only sites with ports of trojans,
    anyway,
    cheers mate
    the only thing that doesn\'t change is everything will always change.

  4. #4
    Senior Member
    Join Date
    Jun 2002
    Posts
    102
    Just because you see it on a port list doesn't mean it's true. Hell it could be anything that allows you to set the port number. Maybe even sub7 which we all love. I would do some more research and find a program that would detect the path name of the server that is listening on 1234. Most firewalls should be able to handle that.
    Good Grief

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    As July has correctly stated, you need to tell what program is opening the port, as opposed to relying on iana's registered port list...

    On the box in question (from what I can gather, it is a linux machine), type in the following command:

    netstat -ap

    The p flag will show you what program name is responsible for opening the corresponding port number....
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  6. #6
    Junior Member
    Join Date
    Mar 2003
    Posts
    20
    I agree with July and SoggyBottom. You are taking the hackers approach to finding out what the port is. Since you are on the physical side of the hosts you have a great more deal of control over your system. Port scanning is a great and quick way to find out what is on the network as it can't really be hidden (like windoz root kits).

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Try to telnet to that port and see what it yeilds. Next you want to get a list of all the processes running on the machine. You may want to check router logs to see who's been making connections on the machine in question. Disable any services on that machne that are not necessary. Examine what logs are available on the computer in question. You really don't want to tamper with too much on the system as you could be tampering with evidence if a crime really has taken place. You would be better to mount the drive in a read-only mode to prevent altering anything. There's alot more to do, but with the info I just mentioned, it should get you started. If you still have more questions, please send me a private message.

    Good luck

    PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  8. #8
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Hi,
    Soggy ,july and Pure Exctacy make a good point here, This is what I will do If I were you:
    1. netstat -anf inet (to capture the current state of the network connections on the machine)
    2. lsof -i (to find out which process had that port open and yes you need to install lsof if you don't have that in your box) you will see something like this:
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    3. Telnet localhost 1234 (to check the result... might be there is backdoor process running in your system)

    cheerss
    Not an image or image does not exist!
    Not an image or image does not exist!

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    119
    thanks to all,
    i have figured out it was more or less harmless.
    it was used to port forwarding :-)
    the only thing that doesn\'t change is everything will always change.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •