Port 3730

[Agent_Steal]

If I am correct Tcp port 3730 is used by a program called APT Computer Access Manager. Which is basically used to control access to a networked computer.

Hope that answers a part of your question.

[pak]

Have you checked for a banner? It could be just about anything, I show the port as unassigned. Services can be bound to oddball ports if needed.

[576869746568617]

The hacker is connecting to port TCP 27374? It's either Sub7 or trinoo if your running windows, or the Ramen, Linux Worm, affects: Redhat 6.2, Redhat 7.

As you stated that he has an open port TCP 3730, I'd say that it is trinoo.

Just because a port is registered with IANA doesn't mean a legitamate svc runs on it...Even Sub7's common ports are registered with IANA as Sub7

[Agent_Steal]

I'm well aware of that 576869746568617. That's why if you notice I began my sentence with:

If I am correct

Meaning there is a good chance that I am wrong. But it does sound like SubSeven.

The Internet Port Database
Check that site out I am pretty sure that is where 576869746568617 found the info.

This is where I found a part of my info:IANA

[576869746568617]

Sorry, Agent_Steal, I had no intention of insulting your intelligence. You are indeed correct. That is the service that is registered to 3730 by IANA. And Yes, That's exactly where I found (most of) the info.

The rest is from experience with trinoo.

I also may be wrong, as I am human and prone to errors...and bad programming. It could be a new utility exploiting an old vulnerability. In any event, I'd keep an eye on that port (3730), if the firewall is blocking packets to 27374. You're probably OK but just in case, scan your firewall logs and see what other destination ports had a connection attempt from a source port 3730.

Hope you don't find any more suspect traffic.

[Agent_Steal]

It's allright 576869746568617 my apologizes and I as well was not trying to insult your intelligence in anyway.

But I was thinking could it be possible that maybe your computer is infected by SubSeven ? I could be wrong though just a wild guess. Maybe you could post the log as it would make it easier for people to see what's going on.

Just a suggestions. But who knows.

[576869746568617]

I agree, it would be easier to figure out if we could see the logs. Just edit the first octet of any IP addresses of your systems, if they are in the logs so that they read something like xxx.21.45.1 or 10.21.45.1. Never give out too much info, Helping hands are not the only ones who read these posts.....

And yes, I'm paranoid....My other 3 personalities aren't, though.

[Und3ertak3r]

I am pleased you guys kissed and made up..

576869746568617 best not to use your credit card no as a nick.. some one will cotton on...

Oh and yep nice extra links and info...

Now with all that down.. our mate can now find a way to wreak revenge on the "attacker".. like some one remotely editing the "Auteoexec" on a Win98 machine that had been scanning the firewall for a couple of weeks.... to put in a short message and a pause.. the message.. Norton Warning.. You have a Virus. System Files will be deleted" .. the system was remotely restarted.. the scanning stopped that day.. (all that was done was the edit of the autoexec and the restart,, the owner did the rest.. we hope).. We don't condone that sort of action.. it is likly to get you a visit with Bubba the loving roommate..

cheers

[Agent_Steal]

All we tried to do was provide him with information that might help. It might not be the best but maybe next time instead of negging us with your greater intelligence and "Senior Member Status". Feel free to correct us and maybe provide greater and more useful info.

He can use the info in a good way or bad way. It's his choice. It's not like we gave him something that he could have not found on his own.

[576869746568617]

Just for the record, my handle is not my credit card number. Type it in a hex conversion program and see what you get.
(note that antionline truncated the last three digits, so it will be mispelled)

Not to disrespect your authority, or your status, but just 'cause I'm a newbee here doesn't mean I don't know $hit. I was banging away on a TI 980 while some of the folks here were still in diapers, and Bill Gates was still selling GW/BASIC as his main product.

I wouldn't suggest that anyone alter files on a system that they don't own. (and no, I don't mean "own" as in it's your be-otch). Not to mention it's illegal in most countries (as yyou pointed out, gotta give ya props for that.)

(Sorry if that came across as arogant...EBCDIC brings back some painful memories.)