Netbus, what would you do.
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Netbus, what would you do.

  1. #1
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668

    Netbus, what would you do.

    Hi Guys,
    thought i'd post this i would like to get an over view of what you people here at AO would do.

    I'm running a fire wall which has recently recorded a couple of inbound tcp connection attemps.
    Using tds3 i did an interigation of the recorded ip address and found that netbus was running on port 12345. Within tds3 you have a tcp connect utility, so i made a connection to port 12345 on the remote machine this showed me netbus 1.7x password protected. Now within tds3 you have the ability to disinfect the remote machine. However that would require nowing the password.

    The question i would like to ask is what people here would do with this information, crack the password and disinfect, report to the network abuse department ? whatever?

  2. #2
    Member
    Join Date
    Oct 2001
    Posts
    31
    Is this a home computer or one at work? Either way I would simply disconnect the system from the network and "clean" it. If you really must get the password then run a packet sniffer watching that particular port and IP. WHo ever installed it is bound to log into it.

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I think you miss understand me, i'm on a home pc, netbus is on a remote machine. I was obviously being scanned for a netbus server, Which i have not got.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    If this machine isn't yours... which I think it isn't (because you're seeing it inbound) I'd send an email to the admin of whoevers network of the attacking machine and notify the of the time, date, ip and activity. Sometimes emails go ignored... so a phone call would also work... if you don't mind paying tolls. You can do a whois on the network and find out if they have a toll free number for you to call too.

    It is possible that the user of the infected machine doesn't even know he has it on there... Or it could be some s.kiddie too. I've never used netbus... so I'm not sure of how the trojan works. (wheather there is a client/server in one, or if the client/server are separate.)

    I would not try to crack the password because you would be doing just as much trouble as the other person is. I'm not sure about your laws... but I know several places have "hack back" laws that prohibit this type of activity.

    Just be happy that your firewall is blocking it and he isn't going to get your network. Report them with the usual info, and let the ISP take care of it... (notifying the user, monitoring for suspicious activity, etc.)

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    This is the sort of feedback i was looking for what peoples ethical views on hack back are.
    Thanks phishphreek80, what you suggest is what my own instink is to do.

    Come on guys lets here some arguments for other caurses of action.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    If I am reading this right, you have tracked back the computer that was scanning you for netbus. If that is the case, you have the IP address. Armed with that info., I think it's best you stay out of trouble, don't try a 'hack-back' by cracking the password. With the IP address, determine his/her ISP. Bundle up all the evidence you have (logs, etc.) of the attack/scan and send it to the abuse@isp.com.

    This is the smart way to go, it is the legal course of action.


    Cheers:
    DjM

  7. #7
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by DjM
    If I am reading this right, you have tracked back the computer that was scanning you for netbus. If that is the case, you have the IP address. Armed with that info., I think it's best you stay out of trouble, don't try a 'hack-back' by cracking the password. With the IP address, determine his/her ISP. Bundle up all the evidence you have (logs, etc.) of the attack/scan and send it to the abuse@isp.com.

    This is the smart way to go, it is the legal course of action.


    Cheers:
    The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Come on guys lets here some arguments for other caurses of action.
    The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.
    Right, so if you did decide to crack their password you could invite more problems.

    Not only did you break into their computer... can you prove that you didn't put it there?

    What if that person reports you, and your ISP suspends you account? Then you have to go looking for another ISP.

    At least reporting it to the ISP will give them a chance to find out what is going on. They know who the user is, and they won't tell you. They can decide if the user is doing something malicious, or if they've been owned... if they're infected, the ISP can advise them to take care of it.

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by CXGJarrod


    The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.
    True CXGJarrod, but buy doing this (reporting the attack to the ISP), you are not breaking any laws, you are stopping (well trying to stop) the attack and you are alerting the ISP to a problem. I still believe this is the course to follow.

    Cheers:
    DjM

  10. #10
    Junior Member
    Join Date
    Feb 2003
    Posts
    10
    If you have his ip you can also send him/her a "net send" message and let them know they are infected. You can also ask them to contact you for more info. If this person has a firewall net send will be blocked but I doubt that because this netbus trojan is out in the open.
    May have to repeat this a couple of times and see what happens, if nothing happens you can send a complaint to his/her isp.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •