about tcp connect

Discussion in 'Trojan Defence Suite' started by marty222d2, Nov 20, 2003.

Thread Status:
Not open for further replies.
  1. marty222d2
    Online

    marty222d2 Guest

    I'm wondering, with tcp connect how do we analyze the reponse and all with that? I can connect and all I just don't know the code to type in to get things, and is it true you can alter their computer by connecting to this through the trojan?

    And when a trojan was found on my computer it was resolved to the website i got it off of...so i couldn't find the DNS there was no DNS...so little help on this, you can email me or respond to this post, thank you
  2. Andreas1
    Offline

    Andreas1 Security Expert

    Hi marty222d2,

    Basically you can use TCP Connect to connect to any tcp port where a server is listening. To connect, it doesn't matter which type of server it is - a trojan server, a telnet server, ftp, pop, smtp etc. But when you have established a connection, normally the server waits for you to specify what you want from it - and here of course difficulties begin, because depending on what type of server you have connected to, you can only be expected to do certain things and not others. E.g. a POP server wouldn't understand if you wanted it to close or open its CD tray, it can only handle email messages. Thus, not every server provides some "alter-the-computer" service, although many trojan servers do.
    So, first you have to know what type of server you're connected to. A first hint might be the port number, as often several servers have their standardized portnumbers (which can be changed but still...). E.g. if you can connect to a server on port 110, it is probably a POP server, if you can connect on port 80, it is probably a webserver, if port 27374 it's probably a subseven trojan server (or a tool pretending to be one to catch hackers who would try to connect to it ;) ). Often you will even get a greeting message from the server announcing what type of server you've run into. Sometimes these "banners" can be solicited with just sending a <Return> in the TCP Connect window...

    Next step: Know what "language" the server speaks. You have to specify what you want the server to do, but you have to specify this according to certain rules. Most of the servers have a specific "vocabulary" and "grammar" - all explained it the "protocol". Let's take a POP server for example. Get a greeting banner by sending "HELO myname", log in with "USER bblabla" and then "PASS blabla" (without the quotes) - HELO, USER and PASS being the keywords or commands that get certain parameters with them. To get the listing of email messages waiting for you, type "LIST", to retrieve a message (say, the tenth), you'd type "RETR 10" and to then delete it from the list of messages you'd type "DELE 10".
    The fact that every server type follows a different protocol (and not all use plaintext commands/parameters), and that e.g. the protocols of trojan servers are not so easily publicly available as those of POP or HTTP servers, makes it obvious that knowing the Language ("protocol") of the server is sometimes quite a challenge.

    So much for the general stuff - if you have a specific situation in mind, it would help if you gave us more details: what port, what IP, how did you come across this etc.?


    Can you explain that further...?

    HTHH,
    Andreas
  3. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Hi,

    Sounds like a portref issue, did you right click on a port in netstat and see that its number was associated with trojan names ?

    This (looking at port numbers vs known trojans that have used that port) is getting towards useless as an indication of infection.

    99% of all remote access trojans since long ago have editors and can use any port. It is almost a good idea to not have a portref, or at least hide it a little :)

    If you are interested in ports though, look at Port Explorer too and you will find the helpfile very useful. A trojan would be a lot easier to spot too.

    If you like, we can assist you to post your log from ASViewer, from our freeware section. This will show all autostarting programs, and all trojans need to autostart each time Windows starts.
  4. marty232
    Online

    marty232 Guest

    ok, about the not finding DNS i did a little research and found that he was on a proxy i think...? when i resolved his IP address it resolved to a website ( the webiste i downloaded the trojan horse off of) Now I'm wondering how do i get past a proxy or how can I somehow get his ISP and report him and the logs I have of the trojan (I deleted the trojan also)
  5. Jooske
    Offline

    Jooske Registered Member

    Did TDS alarm on the trojan? Which was it?
    Could have sent it to submit@diamondcs.com.au for advice and they could have found (maybe) more about the origin / sender/ creator for you.
  6. marty232
    Online

    marty232 Guest

    yo, i don't think it has anything to do with the trojan...and I'm wondering how I can resolve his ISP so I can or could report him?

    With a proxy on how do i get his ISP?
  7. Jooske
    Offline

    Jooske Registered Member

    Try Port Explorer and see what you can do with those tools.
    The proxy problem will stay up, but with the socket spy in that you might find some more maybe, little chance...
    But the TCP connect at least alarms them you are aware of him/her, UDP broadcast a nice message and ask for their email :)
  8. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Use the WHOIS to see who owns that domain then, and also try Port Explorer since the whois is much better :) Much newer and we dedicated plenty of time to getting it right
  9. marty233e
    Online

    marty233e Guest

    Yo, ok How do I send a UDP message through TCP connection? and how exactly will it show up on his computer? And how can I hide my DNS like he did to prevent hackers?

    thank you for your time

    God bless TDS

    -Marty
  10. Jooske
    Offline

    Jooske Registered Member

    UDP broadcast is a function of it's own: open the UDP broadcast, type in the other person's IP, try some of their open ports (you have several scanners for that in the several network tools and interrogate scanner) and you can type some friendly message in the line and enter it away. Try a few repeats, different ports, but try to keep it nice in the first place.
    If they scan you on your port 27374 for instance look if that port of them is open to send your message in; is it 12345 you might have to do with a netbus user and look in the plugins which very nice tools are there for them waiting: you might like to install your netbus server emulator to have them play a bit with that while you do some investigations on them, whatever. (you can delete it afterwards from the autostart so it is not there all time but you have it available aftter one time install with a button click). More details we can talk about in the TDS private forum :cool: Among others a very nice series of scripts!
Thread Status:
Not open for further replies.