Jump to content

Interesting message while Telnet'ing


Recommended Posts

Hi everyone.  First post here!

I would like to share with you all this intresting message i got when i tried telneting my port 9090 (zeus admin)


This is not a rootkit or other backdoor, it's a BitTorrent

client.  Really.  Why should you be worried, can't you read this

reassuring message? Now just listen to this social engi, er, I mean,

completely truthful statement, and go about your business.  Your box is

safe and completely impregnable, the marketing hype for your OS even

says so.  You can believe everything you read.  Now move along, nothing

to see here. Connection closed by foreign host.


Gives me that feeling that there is something else behind that, but i havent found it yet xD

Give me your opinnion and comments about it.

"Thanks YOu Come Again!"  8-)

Link to comment
Share on other sites

Log into that computer and open the command prompt.

Type this into the command prompt:

netstat -ao

That should give you a list of all active connections and listening ports, and the PID of the process that owns the port. Look for the susspisious port and the PID associated with it. You can then use taskman or some other application that can list active processes to find more info about that processes, such as the process name.

Then, you still have to figure out whether the process is malicious. I can't help you there without more information.

Link to comment
Share on other sites

errrr i kinda got it wrong, its not a windows box, its actually my brothers Macbook pro (mixed up the IP's)

So i wont be able to do netstat -ao cause Mac OS netstat doesnt have such options.

I wonder what the heck is Zeus Admin

the port is 9090 as a said, its TCP and the service is zeus-admin

heres nmap result:


427/tcp  open  svrloc ( not sure about this either)

548/tcp  open  afpovertcp   (this is Mac Os X File Share)

9090/tcp open  zeus-admin (dunno what this is)

Link to comment
Share on other sites

Doesnt look harmful, but i still like the telnet message.

same for http://(IP):9090/ same message.

The message is the same because you're still accessing the same program. The message is probably the default response to unknown traffic.

Check out this: http://transmission.m0k.org/trac/browser/t...ion/peerparse.h start reading at line 545.

This is from some torrent client and/or server by the looks of it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...