• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Backdoor not detected by NIS

A computer on the office network has behaved oddly the past few days.  Hangs up regularly, too.  I didn't find any unexplained processes in the task manager, and verified that virus/trojan definitions were up to date.

I found lines like this in the NIS security log:

9/24/2008 3:52:49 PM,127.0.0.1,Backdoor-g-1(1243),127.0.0.1,1516,0,0,0:01:59.937,"Connection:  localhost: 1516  from  localhost: Backdoor-g-1(1243),  0 bytes sent,  0 bytes received,  1:59.937 elapsed time."

That looks a little creepy to me, but NIS and Spybot S&D do not detect anything.  Any ideas? 

 Steven

Replies

Kudos0

Re: Backdoor not detected by NIS

A computer on the office network has behaved oddly the past few days.  Hangs up regularly, too.  I didn't find any unexplained processes in the task manager, and verified that virus/trojan definitions were up to date.

I found lines like this in the NIS security log:

9/24/2008 3:52:49 PM,127.0.0.1,Backdoor-g-1(1243),127.0.0.1,1516,0,0,0:01:59.937,"Connection:  localhost: 1516  from  localhost: Backdoor-g-1(1243),  0 bytes sent,  0 bytes received,  1:59.937 elapsed time."

That looks a little creepy to me, but NIS and Spybot S&D do not detect anything.  Any ideas? 

 Steven

Kudos0

Re: Backdoor not detected by NIS

sparweb,

The name "backdoor-g-1" is commonly assigned to that port (1243).  While this port is used by that threat, it can also be dynamically assigned to any application by Windows.  This can be fairly common, and in general there's no need to be concerned.  Given that the connection was from your local computer to your local computer, it does not match that threat's behavior.

Please see this KB article on the topic.

You can also read the details about the threat to confirm it does not exist on the system.

Regards,

Mike

Message Edited by MikeO on 09-25-2008 09:32 AM
Software Architect / Technical Director. Norton Business Unit.
Kudos0

Re: Backdoor not detected by NIS

sparweb,

You can also use TCPView from Microsoft SysInternals to determine which program has the port open.

Regards,

Mike

Software Architect / Technical Director. Norton Business Unit.
Kudos0

Re: Backdoor not detected by NIS

Hi Mike

Thanks for the info.

One thing that sticks out:

Given that the connection was from your local computer to your local computer

I don't see how you arrived at that conclusion.  My local network is the typical 192.168.*.* that usually gets used.

A DNS lookup on "127.0.0.1": nothing comes up.

I'm going to take a look at that TCPView, now.

Thanks

Steven

Kudos0

Re: Backdoor not detected by NIS

127.0.0.1 is localhost, the universal IP address your TCP/IP stack uses to point back to itself. So, it is the IP adress of your own machine.Message Edited by TomiRed on 09-25-2008 10:12 AM
Windows 7 Ultimate x64 SP1 -- NIS 21
Kudos0

Re: Backdoor not detected by NIS

So what does it mean when localhost has been "redirected"?

I received this message when I ran the "Security Inspector" in NIS.

Kudos0

Re: Backdoor not detected by NIS

Another question:  Are there alternatives to the Symantec system scan?  I ran it earlier, but it was not able to make any report about hacker/trojan/intrusion protection.

At this point, the software is giving me no reason to believe that it is working.

Kudos0

Re: Backdoor not detected by NIS

What N.I.S. are you using?  What O.S., S.P. you got installed?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

This thread is closed from further comment. Please visit the forum to start a new thread.