PDA

View Full Version : Sub7 Routine-!?!



sea69
12-14-2001, 12:30 PM
I was noticing IE internet activity (that shouldn't have been happening)

I hit "LOCK" on Zone Alarm.

have isolated the source as one (http://fusionhrd.homestead.com/files/1st.jpg)

me- I am the source of my own unauthorized IE connecting.

This is because the person in the following illustration:

two (http://fusionhrd.homestead.com/files/2nd.jpg)


has inserted a sub7 trojan reported by ZoneAlyizer

3rd illustration:
three (http://fusionhrd.homestead.com/files/3rd.jpg)


upon scanning the address that ZA indicates that this came from, I find the following ports open at that IP : 217.80.72.27: HTTP/10. 302 Found..Server: David-WebBox/6.60a(0286)..Pragma: no cache..Content-Type:text/html..Content-Length: 88..Location:

idiot (http://fusionhrd.homestead.com/files/idiot.jpg)


you will please observe that the address this page is being SERVED from is mine!!


seems Iíve been hacked and am now serving a german website?

http://translate.google.co m/translate?hl=en&sl=de&u=http://www.computerzeit.de/computerzeit/wasisdvd.htm&prev=/search%3Fq%3DDavid%2Bwebbox%26hl%3Den (http://translate.google.com/translate?hl=en&sl=de&u=http://www.computerzeit.de/computerzeit/wasisdvd.htm&prev=/search%3Fq%3DDavid%2Bwebbox%26hl%3Den)

note: this may not go through but can be cut&pasted into adress bar of browser


wasn't sure where to post this.

http://www.PCGuide.com/ubb/rolleyes.gif

------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)




[This message has been edited by sea69 (edited 12-14-2001).]

Ghost_Hacker
12-14-2001, 01:45 PM
First, have you scanned your system to see what services are listening on open ports?

Second,is your IP address 141.157.93.114?

I see indications that you where scanned for possibly trojans runnning on port 27374, however I see no indictation your computer was compromised. This
http://fusionhrd.homestead.com/files/1st.jpg

is a web site called "dreamwater free web space" which is running on port 80. Port 80 is used by the Executor trojan and a few others, which is what Zonealarm is saying. However in this case port 80 is the designation port (IE: the trojan would be running on the designation computer) not the source port.

sea69
12-14-2001, 02:11 PM
#1 you're just the person I hoped would respond to this


First, have you scanned your system to see what services are listening on open ports?

didn't even think of it then, but right now netstat reports nothing.


Second,is your IP address 141.157.93.114?

Yes it was. My IP is dynamic.


I see indications that you where scanned for possibly trojans runnning on port 27374, however I see no indictation your computer was compromised. This
http://fusionhrd.homestead.com/files/1st.jpg

is a web site called "dreamwater free web space" which is running on port 80.

the fusion hardware site is not the problem. That is one of my sites that I am serving {{actually HOMESTEAD is}} the image that I wanted you to see from.

Port 80 is used by the Executor trojan and a few others, which is what Zonealarm is saying. However in this case port 80 is the designation port (IE: the trojan would be running on the designation computer) not the source port.

how does this change illustration where it shows my IP as the server?

thanks GH


------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)

[This message has been edited by sea69 (edited 12-14-2001).]

Ghost_Hacker
12-14-2001, 02:32 PM
OK.... In my last post I was using your screen capture to say that "dreamwater" is running on the designation IP address displayed.

how does this change illustration where it shows my IP as the server?


That's where you lose me http://www.PCGuide.com/ubb/smile.gif. If your IP was 141.157.93.114 and you are assigned an IP address whenever you connect. Then I would expect any new addresses to be 141.*.*.*. Not 217.*.*.* or 207.*.*.*. which are the other IP addresses displayed. Am I missing something? Mabey I'm not reading your "tools" correctly?

EDIT Also download TCPVIEW (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) which is better for looking at what ports are being used by your system.




[This message has been edited by Ghost_Hacker (edited 12-14-2001).]

sea69
12-14-2001, 02:50 PM
ok

what I was trying to illustrate is that after noticing IE activity that should not have been occuring I investigated.

By LOCKING Zonealarm I was told that IE was trying to go to the dreamwater site.

This actually I could have NOT included as it has no real bearing on what I found out next.

While reviewing my Zonealyizer log I saw the TROJAN (green) entry.

three (http://fusionhrd.homestead.com/files/3rd.jpg)

upon reviewing the details of this attempt, I traced the ip and went to the page it serves from port 80.

idiot (http://fusionhrd.homestead.com/files/idiot.jpg)


the page as you can see is saying "Created during user request".......

now it has adapted to my changed / current IP#!!!!!
http://217.80.72.27/3/index.htm


Please explain that

{{additionally- NeoTracePro says this ip is located in the middle of the Cheasapeak Bay)

lol

when you click the above link, does it say that it came from your IP address??

if so, then this could be a mis-read or false alarm on my part?

too much *puff_puff*??

hehe

http://www.PCGuide.com/ubb/wink.gif


http://www.PCGuide.com/ubb/biggrin.gif

------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)

[This message has been edited by sea69 (edited 12-14-2001).]

Ghost_Hacker
12-14-2001, 03:33 PM
Here's the info I get on that IP address (217.80.72.27)
http://www.dshield.org/ipinfo.php?ip=217.80.72.27&Submit=Submit


When I go there I don't get a "created during user request" message nor any indication that it's coming from the Proxy IP address I use.


Here's the results of my trace: (from an Italy visualroute server)
http://www.visualroute.it/vr.asp?go=217.80.72.27&submit=VisualRoute+Trace


Does any other web site do this? Do you have any sort of "caching" software or proxy? It sounds like IE or some software on your system is caching web pages......


[This message has been edited by Ghost_Hacker (edited 12-14-2001).]

sea69
12-14-2001, 03:44 PM
use add subtract, but the IP changed (when mine did).

to my new one.


same thing with ad/subtract disabled.

?

nice links, thanks


http://www.PCGuide.com/ubb/wink.gif



------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)


;)~

Ghost_Hacker
12-14-2001, 03:46 PM
OK found it. This "David" ( it's really called David the ultimate information server) web server does display the IP address of the person that comes to the site and says "created by...." at the bottom of the web page.


Examples:
http://www.google.com/search?q=%22created+during+user+request%22&hl=en&sa=N&tab=gw


EDIT I belive that german site has been "hacked" and is been used to look for trojans. http://www.PCGuide.com/ubb/smile.gif



[This message has been edited by Ghost_Hacker (edited 12-14-2001).]

sea69
12-14-2001, 04:09 PM
hehe...ok

thanks

I knew something was going on...

http://www.PCGuide.com/ubb/wink.gif



------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)


;)~