Results 1 to 4 of 4

Thread: port scan findings

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    111

    port scan results

    The last couple of days i have been getting port scanned by a computer that is damn near the same IP as mine. Definitly has the same ISP as me. The port scans are no big deal but this is happening to me 5 times a day. The scan usually looks like they are looking for open proxies.
    port - 8080,80,81,3128...etc.

    I was bored and decided to port scan the machine and this is what i came up with:


    *Port - 113 authentication service
    5904,113: userid: unix: zteo......

    *Port - 770 ?
    220 - bot server (win32)

    *Port - 1025 network blackjack

    *Port - 1048 sun`s NEO object request broker
    220 - welcome to bot ftp service

    *5000 ?

    *Port - 8190
    220 - bot server (win32)

    *Port - 12818

    *Port - 13491

    *Port - 17545
    220 bot server (win32)

    *Port - 20009

    *Port - 20782

    Now for kicks i telneted into 1048 sun`s NEO object request broker,entered a password that was there in black and white and looked around.

    When i exited telnet it said thanks for stopping by enjoy your infection? What does this mean? I know I`m not infected i just wonder what the hell is going on with this machine?

    I figure the box has a trojan or 4 on it and i`m getting port scanned from someone using this box as a zombie. I guess i`m just curious here.

    I didn`t want to post the IP here,because i`m sure the owner of the box has no idea they are owned.

    Thanks
    NORML

    Signature image is too tall!

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: port scan findings

    Originally posted here by Atticus|1
    I figure the box has a trojan or 4 on it and i`m getting port scanned from someone using this box as a zombie.
    Sounds like you don't need our help as you've already figured it out
    It looks indeed like a trojaned pc. Send your logs to the abuse address of your ISP and have them contact the offending user. That should be enough to make it stop.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    111
    ok... I guess the ( "enjoy your infection " ) When exiting telnet got me wondering.

    Thanks for the reply
    NORML

    Signature image is too tall!

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    "Enjoy your infection" probably meant enjoy playing around with the person you infected rather than it being an indication that you were infected.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •