October 16th, 2003, 02:16 AM
Re: Netbus, what would you do.
And you also said you were scanned for a netbus server? So his connection tried to hit you on port 12345?
Originally posted here by jinxy
I'm running a fire wall which has recently recorded a couple of inbound tcp connection attemps.
Using tds3 i did an interigation of the recorded ip address and found that netbus was running on port 12345.
NetBus is not a virus it is a trojan. There are actually 2 programs associated with netbus a client and a server.
Unless somehow NetBus has been incorporated into a new virus which I doubt since every antivirus program has 1.7 in its sigs for quite a few years.
You have no right to disinfect as you say but I do not think you can even do this. It would be the same as brute forcing a remote password so I hope you have several super computers and a few years. Not only that but I know people who use netbus as there remote administration. This was a few years ago. Netbus was actually one of the pioneers of remote administration. So the guy may be using it on purpose.
Or the guy could be infected and the 'evil' user is scanning for other netbus servers from the clinet to hide his true ip. Either way you cant go into someones computer without there consent.
That which does not kill me makes me stronger -- Friedrich Nietzche
October 16th, 2003, 02:33 AM
I agree with CXGJarrod, the person scanning you is probably the person who put netbus on the computer (I know that's not what you said CXGJarrod, that's my opinion expanding on yours) given that they have remote access to that computer. I don't know about netbus and what you can do with it, for all I know you can't do a scan from a remote computer with netbus. The person who actually owns the computer probably has no clue what is going on. I would send them an email saying that you recorded a scan from their ip, and inform them that they have the trojan netbus on their computer. Then tell them if it was not them scanning they need to uninstall netbus and secure their computer (actually they need to do that regardless). Then say if it happens again you will contact their isp.
October 16th, 2003, 02:39 AM
S3cur|ty4ng31 makes a couple of really good points. Not unless some dumba** was playing with NetBus and infected themselves and then tried to scan you for it. I had a friend of mine a long time ago that accidently SubSeven'd himself. It was rather entertaining.
October 17th, 2003, 08:44 AM
You all make a good case for not attempting to hack back which is what i expected. I would report the incident to abuse@isp but in this case i cant find it, none of the whois's that i have tried have shown up any info. The ip locator here at AO shows the location as Milton, New South Wales, Australia. Thats as much info as i have been able to get.
Having interigated the ip address again to day netbus is no longer showing up, so either netbus has been removed from the machine or the machine that was infected has been given another ip address.
So i guess thats about all i can do at the moment. Thanks for the feed back anyway.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry