Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
A computer on the office network has behaved oddly the past few days. Hangs up regularly, too. I didn't find any unexplained processes in the task manager, and verified that virus/trojan definitions were up to date.
I found lines like this in the NIS security log:
9/24/2008 3:52:49 PM,127.0.0.1,Backdoor-g-1(1243),127.0.0.1,1516,0,0,0:01:59.937,"Connection: localhost: 1516 from localhost: Backdoor-g-1(1243), 0 bytes sent, 0 bytes received, 1:59.937 elapsed time."
That looks a little creepy to me, but NIS and Spybot S&D do not detect anything. Any ideas?
Steven
sparweb,
You can also use TCPView from Microsoft SysInternals to determine which program has the port open.
Regards,
Mike
Hi Mike
Thanks for the info.
One thing that sticks out:
Given that the connection was from your local computer to your local computer
I don't see how you arrived at that conclusion. My local network is the typical 192.168.*.* that usually gets used.
A DNS lookup on "127.0.0.1": nothing comes up.
I'm going to take a look at that TCPView, now.
Thanks
Steven
127.0.0.1 is localhost, the universal IP address your TCP/IP stack uses to point back to itself. So, it is the IP adress of your own machine.
So what does it mean when localhost has been "redirected"?
I received this message when I ran the "Security Inspector" in NIS.
Another question: Are there alternatives to the Symantec system scan? I ran it earlier, but it was not able to make any report about hacker/trojan/intrusion protection.
At this point, the software is giving me no reason to believe that it is working.
What N.I.S. are you using? What O.S., S.P. you got installed?
sparweb,
The name "backdoor-g-1" is commonly assigned to that port (1243). While this port is used by that threat, it can also be dynamically assigned to any application by Windows. This can be fairly common, and in general there's no need to be concerned. Given that the connection was from your local computer to your local computer, it does not match that threat's behavior.
Please see this KB article on the topic.
You can also read the details about the threat to confirm it does not exist on the system.
Regards,
Mike