something trying to phone home on port 2491 ?

[sumdumguy]

ok guys and gals..
I believe this is the first time that I ever asked for some help and I'm hoping
that someone can shed a little light on what this may be.

First off.. this is not for me.. but came from an online friend that asked if I'd help.

here we go from him..

do you know wtf twixter.net is?
IP=(209.214.105.3)

Been gettin alot of crap spam mails as always to one of my hotmails, and 4-5 a day try and connect to this twister.net site going throu port service port 2491.

FW blocks it everytime, but its a pain in the bum not even knowing what it is.

Ideas?

http://209.214.105.3/ and see the "guess who" message (safe to check i think)

my reply:

are you sure this isn't some "friend" who's yanking your chain ?
and gave this info:
arin says this:
quote:

Search results for: 209.214.105.3


OrgName: BellSouth.net Inc.
OrgID: BELL

NetRange: 209.214.0.0 - 209.215.255.255
CIDR: 209.214.0.0/15
NetName: BELLSNET-BLK4
NetHandle: NET-209-214-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS.BELLSOUTH.NET
NameServer: NS.ATL.BELLSOUTH.NET
NameServer: NS.MIA.BELLSOUTH.NET
NameServer: NS.RDU.BELLSOUTH.NET
Comment:
For Abuse Issues, email [email protected].
For Subpoena Issues, please email [email protected] with "SUBPOENA" in the subject line.
RegDate: 1998-03-19
Updated: 2002-10-31

TechHandle: JG726-ARIN
TechName: Geurin, Joe
TechPhone: +1-404-499-5240
TechEmail: [email protected]

AbuseHandle: ABUSE81-ARIN
AbuseName: Abuse Group
AbusePhone: +1-404-986-8151
AbuseEmail: [email protected]

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-404-986-8151
OrgAbuseEmail: [email protected]

OrgTechHandle: JG726-ARIN
OrgTechName: Geurin, Joe
OrgTechPhone: +1-404-499-5240
OrgTechEmail: [email protected]

# ARIN Whois database, last updated 2003-02-04 20:00
# Enter ? for additional hints on searching ARIN's Whois database
----------------------------------------------------------------------------

uh.. this may be totally off the wall but do you know a David J Bush ?
http://www.littlegolem.net/jsp/info/....jsp?plid=1607

hehehe nah.. probably not.. wouldn't be that easy..

google doesn't show any results for twixter.net . it has 500 hits for twixter.. and arin doesn't have any record of twixter.. or twixter.net.
but if it's trying to call home.. my best guess is that you have a trojan/backdoor on your box.

acording to this port list at http://www.bosconet.org/pjohnson/por...001to2500.html

it gives :

2491 tcp conclave-cpp Conclave CPP
2491 udp conclave-cpp Conclave CPP

but searching google for Conclave or Conclave CPP didn't turn up anything very enlightening

later on i suggested that if nothing comes to light that he'd have to conact the admin at bellsouth.. but i have doubts that he'll want to do that unless all the other avenues come to a dead end.. I asked him about what trojan scanners he's using ( i know he stays up on his AV dats) but he hasn't responded yet..
I'm hoping that by the time he does check in.. that I'll be able to offer him more info.
(courtesy of you folks)

any thoughts ? suggestions ?

TIA.. sdg..