Go Back   FileForums > Game Backup > PC Games

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 27-07-2002, 13:07
whymeeee whymeeee is offline
Junior Member
 
Join Date: Jul 2002
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
whymeeee
Angry Trojan horse

Today after getting a no cd crack by Devience I was attacked ten times from ten different IP addresses. I haven't had any problems like this before I visited your site, so you either are the ones doing this or someone on your site is, wich means you don't have any controll over who does what on your site. I apoligize if you are unaware of this problem, but I am still ticked off about the attacks.
Sponsored Links
  #2  
Old 27-07-2002, 18:20
KerSpank KerSpank is offline
Junior Member
 
Join Date: Jul 2002
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
KerSpank
What exactly mean that you were "attacked"?
Were you flooded/DoS'd whatever?
Knocked offline by the 10 IPs?
Scanned for Trojans on those IPs?
What were the ports that were scanned (include firewall log!)
Did you just see 10 port 80 scans ala Nimda/CodeRed other arsehole worm?
NetBIOS scanned?
How long did the scanning last?
Did you email the abuse@ email of the offending IPs ISP?
Did your virus scan tell you that you had a Trojan?
If so which one and what was the name of the file that was so infected?
Can you include some type of log showing the offensive activity? (delete your own IP if you do please!)

If you want help or want someone to believe you and not call you an idiot or other derogatory name you may want to post some semblance of the above. The information may help others as well, if viable...

just my 2c

KerSpank
  #3  
Old 27-07-2002, 22:30
whymeeee whymeeee is offline
Junior Member
 
Join Date: Jul 2002
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
whymeeee
It was more like fifty intrusion attempts and still counting. Here are some examples and make what ever you want of it but it didn't start until I visited your sight!!
I've been using the same firewall for months and never had alerts pop-up the way they did today and yes it's been a few months since I've been here. This is what happens when I return

Date: 7/27/2002 Time: 20:42:10
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (61.248.54.160, 2287)
Date: 7/27/2002 Time: 20:27:57
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.222.90.117, 4828)
Date: 7/27/2002 Time: 20:27:54
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.222.90.117, 4828)
Date: 7/27/2002 Time: 20:19:43
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.186.15.212, 3893)
Date: 7/27/2002 Time: 20:03:54
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.222.190.122, 4556)
Date: 7/27/2002 Time: 19:51:01
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (12.219.168.65, 1130)
Date: 7/27/2002 Time: 19:50:58
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (12.219.168.65, 1130)
Date: 7/27/2002 Time: 19:08:13
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.225.94.243, 3775)
Date: 7/27/2002 Time: 18:58:28
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.204.128.173, 1261)
Date: 7/27/2002 Time: 18:56:23
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.190.31.70, 1995)
Date: 7/27/2002 Time: 18:54:47
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (61.36.104.22, 3892)
Date: 7/27/2002 Time: 18:52:18
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (61.80.245.130, 4343)
Date: 7/27/2002 Time: 18:45:57
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (24.50.155.65, 1429)
Date: 7/27/2002 Time: 18:40:19
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (211.230.136.105, 1517)
Date: 7/27/2002 Time: 18:26:05
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (24.184.138.233, 3751)
Date: 7/27/2002 Time: 18:14:30
Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse.
Remote computer (12.248.114.33, 4091)
  #4  
Old 28-07-2002, 01:46
KerSpank KerSpank is offline
Junior Member
 
Join Date: Jul 2002
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
KerSpank
Ok, at least we have a start here...
oh, by the way, when you write "didn't start until I visited your sight!!", to whom are you referring? GameCopyWorld site? My site (of which I have no site, lol)? The guys site from which you downloaded some software? You need to understand about what and about whom you are posting. So just to be clear: I do not work for GameCopyWorld, I'm a user of the site and message boards, just like you...what I'M trying to do is help you to prepare a post that makes sense so that someone might could give you a hand.

Ok so you've got some scans, how EXACTLY did this happen (as in what all software did you have running at the time)? Which mirror site did you visit?
Also can you answer some of the other questions that were put to you? i.e. :
-Did you email the abuse@ email of the offending IPs ISP?
-Did your virus scan tell you that you had a Trojan?
-If so which one and what was the name of the file that was so infected?

Those IPs are from all over the Net (Korea, NY, PA, OH) and they are indicative of just a scan, not an "attack", its showing that there are probably different wanna be coolios trying to see if you are infected with a Trojan, you aren't are you? were you using any other software at the time? Do you go on IRC? Have you been lately? Did you know that when you do go onto/into IRC there are some jackarses that harvest hostmasks and scan for infection so that they can try to exploit you?

All in all it comes down to this, you are going to be scanned when you connect to the Internet, if you want to further protect yourself get yourself a hardware router (linksys, smc, netgear, whatever, they are cheap these days and can be found on special for 50bucks!) and use it in conjunction with your software firewall as well as your updated virus scanner...as well follow safe practices when using files from unknown locations.

My logs don't show any type of strange activity that coincides with the visitation of this site...do I get scanned? Yes, all the time. Is it a coordinated attack because I'm visiting somewhere? Don't know, don't worry too much about it because I do the things that need to be done to try and protect my system (nothings perfect though!)

another 2cents thrown in there
KerSpank
  #5  
Old 28-07-2002, 09:25
Xero's Avatar
Xero Xero is offline
Senior Member
 
Join Date: Jun 2002
Location: Oklahoma
Posts: 130
Thanks: 0
Thanked 0 Times in 0 Posts
Xero
Send a message via AIM to Xero
Quote:
Originally posted by Zedy
idiot
Helpful.

  #6  
Old 28-07-2002, 15:22
RincewindTheWiz's Avatar
RincewindTheWiz RincewindTheWiz is offline
Die Hard Member
 
Join Date: Jul 2002
Location: Discworld
Posts: 2,503
Thanks: 0
Thanked 143 Times in 2 Posts
RincewindTheWiz is on a distinguished road
Maybe there was a time that a firewall alert was rare and exotic when you connected to the internet, but I wasn't around then Seriously, I've got a constant on ADSL broadband connection, and the alerts for portscanning keep on coming very day. I'm using ZoneAlarm and every portscan (what you're experiencing) used to bring up a popup with a warning, but I had to disable that since I was getting dozens of popups each day. Sometimes more than 100 in 24 hours. So don't get worried, if this is the first time it's happening, you've just been extremely lucky. Or maybe you haven't been online for long or your firewall hasn't been installed for long ?

Anyway, incoming portscans can do almost no harm. When they're scanning for a trojan, such as in your case, it just means someone is checking all ip adresses. They don't even know you're there, all they do is scan dozens of numbers and see if they're getting a reply from a trojan. Now, if you DID have a trojan, nothing would happen because the firewall intercepts the incoming messages for this trojan so it never becomes active. Even if you didn't have a firewall in place, nothing would happen if there wasn't a trojan present on your system to listen to these incoming messages.

Outgoing messages are different, and with me for example, I have to give permission in Zonealarm for each program that tries to send a message to the internet instead of just listening. If iI don't give permission, it is for the program in question as if I don't have a connection. When I start Half-Life for the first time, I would get a window asking if 'hl.exe' should be allowed to have server rights (listening) and to be able to send packets to the game servers. I know hl.exe is aok, so I allow it to send packets outside and the firewall will now automatically receive any packets destinated for hl.exe.

But if suddenly a "kerne1.exe" tries to connect outside, I ofcourse refuse this, since I don't know why it would try this. "kerne1.exe" is one of the filenames of one of the trojans, but I don't need to know that. The only thing I need to know is if it's something I want to allow to connect outside or something I don't know.

Only if the trojan program is present on your pc and you do let it connect outside, there can be a problem. And I think this (might) be the case with you. You're getting an awful lot of SubSeven messages, while normally you should be getting all kinds of things like port 80 scans (code red), other trojans etc...

In fact this can be no coincidence. My ZoneAlarm firewall blocks incoming traffic AND outgoing traffic. I know some vendors sell firewalls which do not block outgoing traffic. It's all guesswork on my side, so I could be wrong about this, but it seems the port sacnners are getting messages from your pc that the subseven trojan is there. Trojans often 'call home' to certain irc-servers to be checked by script kiddies later.

I don't think this is a coincidence, and I suspect you do have the subseven trojan. But don't worry, they can't control it, because your firewall is in the way of the incoming commands from the script kiddies. If you want to get rid of these attempts to contact the trojan, you obviously have to remove it. If you don't have an up to date virsusscanner I advise you to get one. Failing that, try one of the free subseven removal programs, like one from this page.

It could very well be that your pc is squeaky clean and the virsusscanners and removal tools find nothing. But it's better to be save than sorry... Once again, I'm only speculating here, but I think more is going on than just the random harmless portscanning everyone gets. As long as your firewall is working, you have nothing to fear, but DO try to find out if you do have the trojan ok ?
  #7  
Old 09-11-2002, 20:13
Xero's Avatar
Xero Xero is offline
Senior Member
 
Join Date: Jun 2002
Location: Oklahoma
Posts: 130
Thanks: 0
Thanked 0 Times in 0 Posts
Xero
Send a message via AIM to Xero
Quote:
Originally posted by Zedy
Another idiot
Just sifting thru, my posts and found this. Then decided to sift thru yours. Interesting find -- Your demeanor and behavior towards others is rather cruel, and unjust. Peoples post counts do NOT make the person. If you want to bully people, go back to school - kid. But oh wait, that's why you do it here. Because in person, you would probably shutter.

I'd also like to point out, the posts that I read that weren't flat out spamming, or flamming from you - were quite helpful.

g'day.

Last edited by Xero; 09-11-2002 at 20:36.
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -7. The time now is 10:18.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
Copyright 2000-2020, FileForums @ https://fileforums.com