ultor trojaner

[dieterle81]

hi everybody,

i work for a small company(10 linux server and 20win2k clients) and the internal network is protected with a firewall.today i scanned this host and i got these:

starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> (The 1596 ports scanned but not shown below are in state: closed)
> Port State Service
> 22/tcp filtered ssh
> 23/tcp filtered telnet
> 24/tcp filtered priv-mail
> 25/tcp filtered smtp
> 1234/tcp open hotline
> Remote operating system guess: Linux 2.1.19 - 2.2.20

i was wondering about the 1234 port.
i found out that the ultor trojaner uses this port.
i'm not sure about that is it a big problem or not??
any help or recommendations are appreciate ,
cheers,
dieterle81

[Madseel]

Hey there.
I googled for hotline and that port and i came up with this site.
http://www.westernlug.org/mail-archi...ry/006467.html
Hope it helps.

madseel

[dieterle81]

i looked as well but i got only sites with ports of trojans,
anyway,
cheers mate

[July]

Just because you see it on a port list doesn't mean it's true. Hell it could be anything that allows you to set the port number. Maybe even sub7 which we all love. I would do some more research and find a program that would detect the path name of the server that is listening on 1234. Most firewalls should be able to handle that.

[SoggyBottom]

As July has correctly stated, you need to tell what program is opening the port, as opposed to relying on iana's registered port list...

On the box in question (from what I can gather, it is a linux machine), type in the following command:

netstat -ap

The p flag will show you what program name is responsible for opening the corresponding port number....

[daxmax]

I agree with July and SoggyBottom. You are taking the hackers approach to finding out what the port is. Since you are on the physical side of the hosts you have a great more deal of control over your system. Port scanning is a great and quick way to find out what is on the network as it can't really be hidden (like windoz root kits).

[PuReExcTacy]

Try to telnet to that port and see what it yeilds. Next you want to get a list of all the processes running on the machine. You may want to check router logs to see who's been making connections on the machine in question. Disable any services on that machne that are not necessary. Examine what logs are available on the computer in question. You really don't want to tamper with too much on the system as you could be tampering with evidence if a crime really has taken place. You would be better to mount the drive in a read-only mode to prevent altering anything. There's alot more to do, but with the info I just mentioned, it should get you started. If you still have more questions, please send me a private message.

Good luck

PuRe

[sweet_angel]

Hi,
Soggy ,july and Pure Exctacy make a good point here, This is what I will do If I were you:
1. netstat -anf inet (to capture the current state of the network connections on the machine)
2. lsof -i (to find out which process had that port open and yes you need to install lsof if you don't have that in your box) you will see something like this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
3. Telnet localhost 1234 (to check the result... might be there is backdoor process running in your system)

cheerss

[dieterle81]

thanks to all,
i have figured out it was more or less harmless.
it was used to port forwarding :-)