rrTV-PHOTO   New HD TV
HOME   rrTV-PHOTO   GALLERIES   MY GALLERY   HELP-FAQ
myHOME PM pmRR MEMBERS 592 ONLINE 25 EVENTS SEARCH REGISTER  START HERE
 
2 pages [ <<    <    ( 1 )     2     NEXT    >> ]1137 viewsPOST REPLY
Modefo's RC Helicopters . XHELI.COM . Autography FlightPower

.
.
Off Topics > Have I tracked a hacker? Weird stuff!
 
 
spurry
Veteran
Location: Wolverhampton/Leeds/ Dumfries, UK

Just got a nice new pc with XP and all the Norton goodies. But I just got an email saying an email from my account was blocked as it contained a PIF file and it was from flyingfish, a flying school here in the UK which is weird because it was to do with flying and I have never emailed them or have their address saved.

I ran a few searches and am going through all the norton things when I see that I have had an attempted trojan attack and I had the option to track it. It came from Santa Clara in the states and I have the ISP, address, phone number and everything by using the Visual Tracker. Anyone know what all this is about?

I have run the removal tool for 'W32.Novarg.A@mm', for more info:
symantec but that found nothing so later on I will do full scans with norton. I did notice today while my pc was just idle that there was a slow but constant rate of bytes being sent out, is there someone there weaning info from my emails or is this just normal firewall behaviour?

thanks, James
01-27-2004 Over year old.
HOMEPAGE  
 
 
Spitfire_mk5
Key Veteran
Location: Canada

your computer should NOT be sending out a constant stream when idle.
All the firewall should be doing is blocking ports (ie: ignoring requests to your computer through a given pathway and blocking pings and network scans. Check you have the latest virus definitions (norton updates theres weekly on wed. so check tommorrow too. Also go into Task Manager and have a look if you have any processes (not applictaions) running that you queston just google them and the should say what they are for or if they are standalone viri (is that even a plural?). Also you can go to msconfig or regedit and see whats being loaded as services but i wouldn't recomend it (especially regedit as a typo here can make you machine inoperable).


Just update norton and run a scan now, then do it again tommorrow after the new definitions are published (or you could manually go get htem now), keep a lookout for you network usage, check your firewall settings and run some scans. It may be nothing...
01-27-2004 Over year old.
HOMEPAGE  
 
 
ScareCrow_Delta
Veteran
Location: Sebastian, FL

if you are not surfing the net, nothing should be sending out. The best way to know if you have port open or communicating while you did not initiate it is to try the command netstat. Go to "run" and type "command". You will be at the DOS prompt. Type " netstat -a " It will show you all the connections and the port,,, it will also tell you if it is listening or sending.

~~~~ Defy the laws of gravity....gracefully ~~~~
01-27-2004 Over year old.
HOMEPAGE  
 
 
SolarXtreme
Veteran
Location: Arroyo Grande, CA

Don't want to scare anyone or am I saying this is your problem but there is a nasty trojan going around right now. I think it is called Backdoor.VB.6 or something like that. It gets worse as it propigates itself through your system. I know that symantec and Norton still don't have pertinant facts on this paticular virus which appears to be a trojan. We tried using AVG virus detection software and it found it but still could not get rid of it as it has somehow locked into his sytem restore files. I have yet to see a virus as sophisticated as this one as it runs several different executables at once and is always changing names.
.

I picked a hell of a day to quit drinking

Avant EFX
Freya EVO
01-27-2004 Over year old.
HOMEPAGE  
 
 
spurry
Veteran
Location: Wolverhampton/Leeds/ Dumfries, UK

Thanks for the info. It's still sending bytes out non stop which is annoying me now and there are many Processes showing in task manager so I wouldn't know if there is anything out of the usual being new to XP.

I got about 25 results using netstat -a in dos prompt, some with a foreign address. I don't know if the email I got sheds any light:
Quote 
-------------------------------------------------------------------------------------------------------------
BANNED FILENAME ALERT

Our content checker found
banned name: file.pif
in email presumably from you (),
to the following recipient:
-> aha@flyinfish.co.uk


Please check your system,
or ask your system administrator to do so.

Delivery of the email was stopped!


For your reference, here are headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Return-Path:

Received: from mailforward.freeparking.co.uk
(mailforward.freeparking.co.uk [207.35.205.40])
by postfix3.intermedia.net (Postfix) with ESMTP id 77F66375EC
for ;
Wed, 28 Jan 2004 02:27:21 +0800 (GMT-8)
Received: from [81.97.132.93] (helo=email.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlY1n-0006Hg-5Y
for chariman@aha-online.org.uk;
Tue, 27 Jan 2004 13:33:35 -0500
From: spurry@email.com

To: chariman@aha-online.org.uk

Subject: test
Date: Tue, 27 Jan 2004 18:19:19 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_A977A8FF.59093AD2"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id:

-------------------------- END HEADERS ------------------------------


--------------------------------------------------------------------------------

Reporting-MTA: dns; postfix3.intermedia.net
Received-From-MTA: smtp; postfix3.intermedia.net ([127.0.0.1])
Arrival-Date: Tue, 27 Jan 2004 10:27:22 -0800 (PST)

Final-Recipient: rfc822; aha@flyinfish.co.uk

Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected,
id=12788-09 - BANNED: file.pif
Last-Attempt-Date: Tue, 27 Jan 2004 10:27:22 -0800 (PST)


--------------------------------------------------------------------------------

Received: from mailforward.freeparking.co.uk
(mailforward.freeparking.co.uk [207.35.205.40])
by postfix3.intermedia.net (Postfix) with ESMTP id 77F66375EC
for ;
Wed, 28 Jan 2004 02:27:21 +0800 (GMT-8)
Received: from [81.97.132.93] (helo=email.com)
by mailforward.freeparking.co.uk with esmtp (Exim 4.24)
id 1AlY1n-0006Hg-5Y
for chariman@aha-online.org.uk;
Tue, 27 Jan 2004 13:33:35 -0500
From: spurry@email.com

To: chariman@aha-online.org.uk

Subject: test
Date: Tue, 27 Jan 2004 18:19:19 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_A977A8FF.59093AD2"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id:

-------------------------------------------------------------------------------------------------------------



I will go now and do a full norton check and again tomorrow then report back. If the email doesn't mean nothing I'll just erase all that garbage from this thread.
01-28-2004 Over year old.
HOMEPAGE  
 
 
spurry
Veteran
Location: Wolverhampton/Leeds/ Dumfries, UK

According to Norton's log viewer:
Quote 

Trojan Attempt
Details: Rule Default Block Backdoor/SubSeven Trojan horse matched
Remote address (172.157.3.76,3107)
Rule "Default Block Backdoor/SubSeven Trojan horse" blocked (172.157.3.76,27374)
Inbound TCP connection
Local address,service is (SN032696020094(81.133.97.175),27374)
Remote address,service is (172.157.3.76,3107)
Process name is "N/A"


Now I will run one of those scans that takes half a day to see what it shows.
01-28-2004 Over year old.
HOMEPAGE  
 
 
Blackdog
Senior Heliman
Location: In a snow bank.........with no money

Email

Yesterday I got a weird email that appeared to be sent through RunRyder. It had a file attached. It also said something about a PIF file that it was not able to open???? The title of the email with the DOC say "Hi".

I deleted it immediately!!!!

Blackdog

Addicted to Kaos and destin for disaster
01-28-2004 Over year old.
 
 
SolarXtreme
Veteran
Location: Arroyo Grande, CA

Hmm looks like it might be the Backdoor trojan. You will see a bunch of weird processes in your task manager like "dsy321.exe", "pif05.exe" etc... If you kill them they will rename themselves and startup as a new process. If you do find a way to wipe it out please let me know. My friend wants to avoid doing an entire reformat/reinstall if he can and Norton and Symantic have been no help.
.

I picked a hell of a day to quit drinking

Avant EFX
Freya EVO
01-28-2004 Over year old.
HOMEPAGE  
 
 
rcsoar4fun
Veteran
Location: Corpus Christi, TX

Computers, my other hobby

Firstly a "hacker" has no interest in your system. Hackers are exceptionally skilled computer users that do not commit crimes. Crackers commit crimes. Its like the difference between a locksmith and a car jacker. Your problem probably either a run of the mill virus or a script kiddie. The term kidiot is also acceptable. The IP addresses are not very usefull. Chances are that it is the IP of another machine infected by a virus, or the IP is spoofed(forged).

XP also has a bunch of stuff that runs in the background that *might* be sending out data. If you are running media player it will constantly utilize bandwidth. XP will also consistantly check for updates. Your vscan could be updating. What kind of internet service are you using? When I was using SBC's DSL with pppoe it was constantly communicating. Netstat is a good one to check as it nbtstat -S .
Go to the control panel and check what services are running. Stupidly telnet and FTP tend to be turned on by default and should be disabled. If you don't know what those 2 do you don't need them . Try installing a new antivirus program or using one of the online scans. www.antivirus.com offers a free online scan. Make sure your os is updated at www.windowsupdate.com Lastly, consider investing in a broadband router with NAT. Its not perfect, but is simple and will cause most of the kidiots to move on. Be sure to change the default password.

Kristopher
01-28-2004 Over year old.
HOMEPAGE  
 
 
Sar
Elite Veteran
Location: Kingston, NY

In the last couple of days there has been a big run of e-mail virus/trojan attempts. Never open an attachment from someone you don't know, or one that you weren't expecting, even if it looks harmless.

BTW Spurry, you should disconnect the infected machine from the network, chances are there could be a keylogger installed which is recording your every keystroke, or worse. Leaving it connected with a trojan/backdoor running is just a bad idea.

--
Jon
01-28-2004 Over year old.
HOMEPAGE  
 
 
Spitfire_mk5
Key Veteran
Location: Canada

yeah there has been alot of trojan activity lately (today) this just shows people NEVER OPEN ATTACHMENTS UNLESS YOU KNOW WHAT THEY ARE!!!!!! even an inosent jpeg can either have a hidden extention like photo.jgp.exe be particularly malformed and can execute code on your machine.

If you are running a network -- pull the plug on that computer until you can get it sorted out.
One bad computer is a headache, a whole network of them is... well...
01-28-2004 Over year old.
HOMEPAGE  
 
 
Jim C
Veteran
Location: Indiana, PA

latest norton defs. are 1/26/04 rev. 24 that should catch anything .. go to symantec.com and find the removal tools if you do have something.. remember to disable the restore feature.. they tell you how to do it. and yes.. there is all kinds of stuff going on this month.. i got a hot email at work.. ill paste it below.

W32.Novarg ("MyDoom") is a mass-mailing worm. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.



http://www.symantec.com/avcenter/ve...ovarg.a@mm.html



Virus definitions dated 1/26/04 or later will detect this new worm. Ensure your systems are running the latest antiviral signature file (1/26/04) or later.



As always, before you open an attachment (even from someone you know), scan it with antiviral software.




The email will have the following characteristics:

From: may be a spoofed from address
Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Attachment:
document
readme
doc
text
file
data
test
message
body

with one of the following suffixes:
.pif
.scr
.exe
.cmd
.bat
.zip

http://jimsrc.com
01-28-2004 Over year old.
HOMEPAGE  
 
 
fitenfyr
rrProfessor
Location: Port Orchard, Washington

Hmmm..

I had like 3 e-mails returned to me today that I never sent out. Not even addresses in my book. I use a 3rd party web E-mail to check my mail so nothing is on my system. I hope.
Sounds like this trojan is really infecting the net.
Time for an update and a scan for sure.

Jason Stiffey
Fly Fast....Live Slow...
01-28-2004 Over year old.
HOMEPAGE  
 
 
hercules
Senior Heliman
Location: Pittsburgh, Pennsylvania - USA

rcsoar4fun,

Thanks for the link, www.antivirus.com. I ran it for the heck of it and it found two worms and one trojan on my computer. Deleted them immediately. Thanks again!
01-28-2004 Over year old.
 
 
rcsoar4fun
Veteran
Location: Corpus Christi, TX

No problem, its a good link to have around. Some of the more advanced viruses will currupt the virus scanners installed on your PC as soon as they can. Even with updates they will miss the virus. You might also want to check www.grisoft.com. They make AVG antivirus, one of the best around. Its also freely downloadable.

Kristopher
01-28-2004 Over year old.
HOMEPAGE  
 
 
Blackdog
Senior Heliman
Location: In a snow bank.........with no money

Holy Crap

Jim,

That is the exact email I recieved yesterday.

It read

Subject "HI"

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The attachment was a DOC file.

I deleted it immediately and then immediately emptied the recycling bin and trash can.

BY DOING WHAT I DID....... IS MY COMPUTER OK?? Is there something else I should do??

Thanks,

Blackdog

Addicted to Kaos and destin for disaster
01-28-2004 Over year old.
 
 
Jim C
Veteran
Location: Indiana, PA

as long as you didnt download the attachment you are ok if you did, you better start clicking anti virus links above to check.. cuz you probably have it... get to it.. this one is gonna be rough.

http://jimsrc.com
01-28-2004 Over year old.
HOMEPAGE  
 
 
ScareCrow_Delta
Veteran
Location: Sebastian, FL

VIRUS!!!!

i have examined that message and it is a VIRUS. It will install itself and it will initiate as a screensaver. DO NOT OPEN THE FILE!!!!!

~~~~ Defy the laws of gravity....gracefully ~~~~
01-29-2004 Over year old.
HOMEPAGE  
 
 
daggit
Elite Veteran
Location: Waseca MN

Quote 
I had like 3 e-mails returned to me today that I never sent out.


I've been getting these pesky emails constantly lately.
01-31-2004 Over year old.
HOMEPAGE  
 
 
doo
Heliman
Location: washington state

Typically worms that steal email addresses (from ms outlook contacts) send out using a email address they steal. So if and when they get bounced, they get bounced back to someone (from an email address that was in an effected users contacts) who was never infected in the first place.

Solution? Keep your OS updated, including your antivirus definitions daily!, and use comment sense. Implement some sort of firewall like NAT.

and RTFM
01-31-2004 Over year old.
 
 
2 pages [ <<    <    ( 1 )     2     NEXT    >> ]1137 viewsPOST REPLY
Advantage Hobby . Revolution Models . CarbonXtreme

.
.
Off Topics > Have I tracked a hacker? Weird stuff!
 PRINT TOPIC Advertisers 

Subscribe to This Topic

Friday, January 9 - 5:22 am - Copyright © 2000 - 2009 runryder.com | email | link to rr | runryder needs cookie