[esorone]

Nostremato, on Feb 1 2004, 09:09 AM, said:

anole, on Feb 1 2004, 08:46 AM, said:

On my network, where 3003 is listening, there is a Serv-U installed listening on 43958�

maybe it is only a backdoor which the hackers installed :blink:

But if the hacker installed this backdoor he is scanning hier own hacks???

Don't think so.

Greetz esorone

[Erra]

Unless of course he lost his list of his hacks.... and now he is trying to find them again ;)

Of course, that would be really funny. Scanning for his Serv-U port.... :D

[TedOb1]

Again more speculation. Could be two warring warez gangs. One trying to take over the others sites.

[Double-=V=-]

Well he could have some kinda autohacker which doesn't log the ip's it hacked.

[x0x]

In situations like this searching through web pages which although may appear to be relevant can sometimes lead you into the complete opposite direction.

Instead simply capture what is in the payload using tcpdump as below :

tcpdump -X port 3003 > gotcha.txt

Now you have the payload and can analyse the capture and search based on the contents and thus giving you more chance of identifying the scan.

Greetings.

x0x

[Reckless]

Yeah , theres a very good possiblity the person is searching for his own hacks .. on the port .. coz i did it once too :P .. Mighta lost Ips .. So is prolly scanning for Ftp ports .

[FakoLy]

if you have servu on your machine that means you have a stro on your box :)
maybe port 3003 is used by the backdoor that the pirate installed and the othter port is the port used by servu..
look in your task manager for "servudaemon.exe" process but it could have been renamed, most hackers that make stros on other computers rename their servu process into "svchost.exe" because you can have more than one svchost.exe proces at the same time...
i think the port scan on port 3003 is just another warezer that is trying to scan for vulns.. maybe to own the stro :)
just try to find the servu home directory there are surely interesting things in it :) and look in system32 for the .ini file (to install you have to upp servudaemon.exe and servudaemon.ini to the remote-box and then, rename the exe and execute it.. i think you can't rename the ini)

[mdk]

FakoLy: wrong.
You can rename the service name, the exe and ini filename...
Search the forum for "mod servu" or something like this. Heres a tutorial.

[nubela]

FakoLy, on Feb 8 2004, 12:16 AM, said:

if you have servu on your machine that means you have a stro on your box :)
maybe port 3003 is used by the backdoor that the pirate installed and the othter port is the port used by servu..
look in your task manager for "servudaemon.exe" process but it could have been renamed, most hackers that make stros on other computers rename their servu process into "svchost.exe" because you can have more than one svchost.exe proces at the same time...
i think the port scan on port 3003 is just another warezer that is trying to scan for vulns.. maybe to own the stro :)
just try to find the servu home directory there are surely interesting things in it :) and look in system32 for the .ini file (to install you have to upp servudaemon.exe and servudaemon.ini to the remote-box and then, rename the exe and execute it.. i think you can't rename the ini)

yea u can rename the .ini by hex editting it.

[barty32]

I'm rather sure it's only a backd00r of another hacker

[securitydood]

yeah servu listening on port 43958 is the default remote administrator that runs as part of servu.

as u already commented u had been hacked and abused :(

make sure you lock your box down a little better. get a firewall installed etc etc :)

as no one else mentioned 43958 I thought I'd post this reply :) sorry if its of no use to anyone.