#1
|
|||
|
|||
Trojan horse
Today after getting a no cd crack by Devience I was attacked ten times from ten different IP addresses. I haven't had any problems like this before I visited your site, so you either are the ones doing this or someone on your site is, wich means you don't have any controll over who does what on your site. I apoligize if you are unaware of this problem, but I am still ticked off about the attacks.
|
Sponsored Links |
#2
|
|||
|
|||
What exactly mean that you were "attacked"?
Were you flooded/DoS'd whatever? Knocked offline by the 10 IPs? Scanned for Trojans on those IPs? What were the ports that were scanned (include firewall log!) Did you just see 10 port 80 scans ala Nimda/CodeRed other arsehole worm? NetBIOS scanned? How long did the scanning last? Did you email the abuse@ email of the offending IPs ISP? Did your virus scan tell you that you had a Trojan? If so which one and what was the name of the file that was so infected? Can you include some type of log showing the offensive activity? (delete your own IP if you do please!) If you want help or want someone to believe you and not call you an idiot or other derogatory name you may want to post some semblance of the above. The information may help others as well, if viable... just my 2c KerSpank |
#3
|
|||
|
|||
It was more like fifty intrusion attempts and still counting. Here are some examples and make what ever you want of it but it didn't start until I visited your sight!!
I've been using the same firewall for months and never had alerts pop-up the way they did today and yes it's been a few months since I've been here. This is what happens when I return Date: 7/27/2002 Time: 20:42:10 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (61.248.54.160, 2287) Date: 7/27/2002 Time: 20:27:57 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.222.90.117, 4828) Date: 7/27/2002 Time: 20:27:54 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.222.90.117, 4828) Date: 7/27/2002 Time: 20:19:43 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.186.15.212, 3893) Date: 7/27/2002 Time: 20:03:54 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.222.190.122, 4556) Date: 7/27/2002 Time: 19:51:01 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (12.219.168.65, 1130) Date: 7/27/2002 Time: 19:50:58 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (12.219.168.65, 1130) Date: 7/27/2002 Time: 19:08:13 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.225.94.243, 3775) Date: 7/27/2002 Time: 18:58:28 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.204.128.173, 1261) Date: 7/27/2002 Time: 18:56:23 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.190.31.70, 1995) Date: 7/27/2002 Time: 18:54:47 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (61.36.104.22, 3892) Date: 7/27/2002 Time: 18:52:18 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (61.80.245.130, 4343) Date: 7/27/2002 Time: 18:45:57 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (24.50.155.65, 1429) Date: 7/27/2002 Time: 18:40:19 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (211.230.136.105, 1517) Date: 7/27/2002 Time: 18:26:05 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (24.184.138.233, 3751) Date: 7/27/2002 Time: 18:14:30 Security alert displayed for rule Default Block Backdoor/SubSeven Trojan horse. Remote computer (12.248.114.33, 4091) |
#4
|
|||
|
|||
Ok, at least we have a start here...
oh, by the way, when you write "didn't start until I visited your sight!!", to whom are you referring? GameCopyWorld site? My site (of which I have no site, lol)? The guys site from which you downloaded some software? You need to understand about what and about whom you are posting. So just to be clear: I do not work for GameCopyWorld, I'm a user of the site and message boards, just like you...what I'M trying to do is help you to prepare a post that makes sense so that someone might could give you a hand. Ok so you've got some scans, how EXACTLY did this happen (as in what all software did you have running at the time)? Which mirror site did you visit? Also can you answer some of the other questions that were put to you? i.e. : -Did you email the abuse@ email of the offending IPs ISP? -Did your virus scan tell you that you had a Trojan? -If so which one and what was the name of the file that was so infected? Those IPs are from all over the Net (Korea, NY, PA, OH) and they are indicative of just a scan, not an "attack", its showing that there are probably different wanna be coolios trying to see if you are infected with a Trojan, you aren't are you? were you using any other software at the time? Do you go on IRC? Have you been lately? Did you know that when you do go onto/into IRC there are some jackarses that harvest hostmasks and scan for infection so that they can try to exploit you? All in all it comes down to this, you are going to be scanned when you connect to the Internet, if you want to further protect yourself get yourself a hardware router (linksys, smc, netgear, whatever, they are cheap these days and can be found on special for 50bucks!) and use it in conjunction with your software firewall as well as your updated virus scanner...as well follow safe practices when using files from unknown locations. My logs don't show any type of strange activity that coincides with the visitation of this site...do I get scanned? Yes, all the time. Is it a coordinated attack because I'm visiting somewhere? Don't know, don't worry too much about it because I do the things that need to be done to try and protect my system (nothings perfect though!) another 2cents thrown in there KerSpank |
#5
|
||||
|
||||
Quote:
|
#6
|
||||
|
||||
Maybe there was a time that a firewall alert was rare and exotic when you connected to the internet, but I wasn't around then Seriously, I've got a constant on ADSL broadband connection, and the alerts for portscanning keep on coming very day. I'm using ZoneAlarm and every portscan (what you're experiencing) used to bring up a popup with a warning, but I had to disable that since I was getting dozens of popups each day. Sometimes more than 100 in 24 hours. So don't get worried, if this is the first time it's happening, you've just been extremely lucky. Or maybe you haven't been online for long or your firewall hasn't been installed for long ?
Anyway, incoming portscans can do almost no harm. When they're scanning for a trojan, such as in your case, it just means someone is checking all ip adresses. They don't even know you're there, all they do is scan dozens of numbers and see if they're getting a reply from a trojan. Now, if you DID have a trojan, nothing would happen because the firewall intercepts the incoming messages for this trojan so it never becomes active. Even if you didn't have a firewall in place, nothing would happen if there wasn't a trojan present on your system to listen to these incoming messages. Outgoing messages are different, and with me for example, I have to give permission in Zonealarm for each program that tries to send a message to the internet instead of just listening. If iI don't give permission, it is for the program in question as if I don't have a connection. When I start Half-Life for the first time, I would get a window asking if 'hl.exe' should be allowed to have server rights (listening) and to be able to send packets to the game servers. I know hl.exe is aok, so I allow it to send packets outside and the firewall will now automatically receive any packets destinated for hl.exe. But if suddenly a "kerne1.exe" tries to connect outside, I ofcourse refuse this, since I don't know why it would try this. "kerne1.exe" is one of the filenames of one of the trojans, but I don't need to know that. The only thing I need to know is if it's something I want to allow to connect outside or something I don't know. Only if the trojan program is present on your pc and you do let it connect outside, there can be a problem. And I think this (might) be the case with you. You're getting an awful lot of SubSeven messages, while normally you should be getting all kinds of things like port 80 scans (code red), other trojans etc... In fact this can be no coincidence. My ZoneAlarm firewall blocks incoming traffic AND outgoing traffic. I know some vendors sell firewalls which do not block outgoing traffic. It's all guesswork on my side, so I could be wrong about this, but it seems the port sacnners are getting messages from your pc that the subseven trojan is there. Trojans often 'call home' to certain irc-servers to be checked by script kiddies later. I don't think this is a coincidence, and I suspect you do have the subseven trojan. But don't worry, they can't control it, because your firewall is in the way of the incoming commands from the script kiddies. If you want to get rid of these attempts to contact the trojan, you obviously have to remove it. If you don't have an up to date virsusscanner I advise you to get one. Failing that, try one of the free subseven removal programs, like one from this page. It could very well be that your pc is squeaky clean and the virsusscanners and removal tools find nothing. But it's better to be save than sorry... Once again, I'm only speculating here, but I think more is going on than just the random harmless portscanning everyone gets. As long as your firewall is working, you have nothing to fear, but DO try to find out if you do have the trojan ok ? |
#7
|
||||
|
||||
Quote:
I'd also like to point out, the posts that I read that weren't flat out spamming, or flamming from you - were quite helpful. g'day. Last edited by Xero; 09-11-2002 at 20:36. |
Thread Tools | |
Display Modes | |
|
|