Re: [newbie] Trojan alert
Mark, From the way his log file read it sounds as though it's already too late and he should just do a reload. What your saw of my logfile was from the DLink Router/Firewall. Not one of those attempts got past the router. This has been confirmed in several ways and from several sources. Reload? Hah, I say, HAH :^) -- Regards Trevor Rhodes === Powered by Linux- Mandrake 9.0 Registered Linux user # 290542 at http://counter.li.org Registered Machine #'s 186951, Source : my 100 % Microsoft-free personal computer. === Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert
Trevor Rhodes wrote: Mark, From the way his log file read it sounds as though it's already too late and he should just do a reload. What your saw of my logfile was from the DLink Router/Firewall. Not one of those attempts got past the router. This has been confirmed in several ways and from several sources. Reload? Hah, I say, HAH :^) it's good to hear nothing got through. sure does suck when that happens. -- Mark --- Paid for by Penguins against modern appliances(R) Linux User Since 1996 Powered by Mandrake Linux 8.2 9.0 ICQ# 27816299 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Tue, 21 Jan 2003 14:18:59 -0500 Mark Weaver [EMAIL PROTECTED] wrote: Hi Ralph, Thats a cool site. Actually the first time I'd ever seen it. However, I couldn't find where you signed up to become a member. -- Mark http://spamcop.net/anonsignup.shtml This should be it. Please not you HAVE to use your real e-mail address ;-) -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Tue, 21 Jan 2003 13:53:00 -0500 Mark Weaver [EMAIL PROTECTED] wrote: Hey Ralph, From the way his log file read it sounds as though it's already too late and he should just do a reload. -- Mark I'm not sure Mark, The logs are logging connection attempts, thus not allowed, but if they maybe found an open one, I can't be sure. Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Tue, 21 Jan 2003 21:47:48 +0100 Ralph Slooten [EMAIL PROTECTED] wrote: This should be it. Please not you HAVE to use your real e-mail address ;-) Sorry, it should read: Please NOTE you HAVE to use your real e-mail address -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Ralph Slooten wrote: On Sat, 18 Jan 2003 18:37:53 -0500 Mark Weaver [EMAIL PROTECTED] wrote: Ralph, have you done the leg work in tracking these connections and reported to the ISP they're coming from yet? That _should_ be the first place to begin. If your theory is correct then the sooner they know about it the better for all concerned all the way around. -- Mark Hi Mark Yeah, I know the ISP and IP and times and ports and so on... I just thought I would alert the list as I figured that the person is probably on this list. Rather they clean their system than get a nasty letter from their ISP, as I'm guessing this trojan is not intential. But to get back to the point, Stephen has just helped me out with the reports, now to see if they respond to it (ISP). Thanks Ralph lets hope that they do. the last thing any of us need is a trojan knocking at the door. -- Mark --- Paid for by Penguins against modern appliances(R) Linux User Since 1996 Powered by Mandrake Linux 8.2 9.0 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Ralph Slooten wrote: On Mon, 20 Jan 2003 01:10:19 +1100 Trevor Rhodes [EMAIL PROTECTED] wrote: The following is a third of my logfile. Is this not normal for you folks? Why do so many people get so worried when something shows up. Why? well just read what I added to almost all your submitted port attacks. Sorry to say this, but this is ignorance. You are being probed from all sides my trojans, and you don't realise it. It did, it does and it always will while ever the Script Kiddies that Stephen loves so much are around. Therse aren't scrip-kiddies, but documented trojans, probably most are from Windows, but like the one I had... Redhat Linux. It's not normal for people to try ftp into you, or fetch mail from your server... but look at the list of trojans... there are many for those 2 ports. From my DI-704P Ethernet Broadband Routers Log: port 137 = (UDP) - Bugbear, Msinit, Opaserv, Qaz port 1433 = Voyager Alpha Force port 1524 = Trinoo port 21 = ADM worm, Back Construction, Blade Runner, BlueFire, Bmail, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, FreddyK, Invisible FTP, KWM, MscanWorm, NerTe, NokNok, Pinochet, Ramen, Reverse Trojan, RTB 666, The Flu, WinCrash, Voyager Alpha Force port 22 = InCommand, Shaft, Skun port 25 = Antigen, Barok, BSE, Email Password Sender , Gip, Laocoon, Magic Horse, MBT , Moscow Email trojan, Nimda, Shtirlitz, Stukach, Tapiras, WinPC port 3128 = Reverse WWW Tunnel Backdoor , RingZero port 3389 = nothing I can find port 443 = Slapper port 445 = Nimda port 515 = MscanWorm, Ramen port 6346 = nothing I can find, I believe it's the giFT port Just thought I would let you know ;-) Let's just hope you have the non-logged ports closed ;-) Greetings Ralph Hey Ralph, From the way his log file read it sounds as though it's already too late and he should just do a reload. -- Mark --- Paid for by Penguins against modern appliances(R) Linux User Since 1996 Powered by Mandrake Linux 8.2 9.0 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Monday 20 Jan 2003 2:11 am, Trevor Rhodes wrote: Then how would that equate to them telling me I had a score of 0 which is perfect? Is my security better than perfect or they don't want my business. hehe Trust? Who can I trust? I'm liable to pick the wrong person. Story of my life. The only time I tried an on-line checker it kept telling me that it could see my IP, but the address returned was my router/firewall. Nothing else was returned, so I stopped worrying. Anne -- Registered Linux User No.293302 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Not me. I know my mail is scanned automatically on the server for virusses, but I always get a warning, so no, it's not comming though this side. Are you sure it's the mailing-list that he's sending to? Greetings Ralph On Tue, 21 Jan 2003 01:50:00 +1300 John Rye [EMAIL PROTECTED] wrote: While on the subject of trojans etc Is anyone else on this list getting repeat mailings from a user who appears to be using a node on 'cwpanama.net' ? This mail includes a variety of windows executables with .exe .scr and .pif extensions all of varying size. A check with a demo version of the RAV virus scanner for Linux says they're mostly Klex, Nimbda and Yaha I've been getting up to 8 of these a day since mid December, despite several pleadings to the ISP to do something about it (And we all thought Cable Wireless had some credibility!!) I'm not to concerned about them as they're filtered to the bit-bucket.. Cheers John -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Mon, 2003-01-20 at 23:50, John Rye wrote: While on the subject of trojans etc Is anyone else on this list getting repeat mailings from a user who appears to be using a node on 'cwpanama.net' ? This mail includes a variety of windows executables with .exe .scr and .pif extensions all of varying size. A check with a demo version of the RAV virus scanner for Linux says they're mostly Klex, Nimbda and Yaha I've been getting up to 8 of these a day since mid December, despite several pleadings to the ISP to do something about it (And we all thought Cable Wireless had some credibility!!) I'm not to concerned about them as they're filtered to the bit-bucket.. Cheers John Just make sure ya don't run 'em - cuz ya wouldn't want your nice clean linux box to get infected with them thar things! (g) -- Tue Jan 21 06:50:00 EST 2003 6:50am up 4 days, 16:33, 5 users, load average: 0.20, 0.11, 0.13 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- I'm wet! I'm wild! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Mon, 2003-01-20 at 21:06, Anne Wilson wrote: On Monday 20 Jan 2003 2:11 am, Trevor Rhodes wrote: Then how would that equate to them telling me I had a score of 0 which is perfect? Is my security better than perfect or they don't want my business. hehe Trust? Who can I trust? I'm liable to pick the wrong person. Story of my life. The only time I tried an on-line checker it kept telling me that it could see my IP, but the address returned was my router/firewall. Nothing else was returned, so I stopped worrying. Anne I get really happy (or smug) when they can only tell me my OUTSIDE IP - the one that is given by the DHCP server connected to the dialup modem...and that it can't tell me anything else (not even my browser or OS)...then you can at least sit back with some comfort... -- Tue Jan 21 06:20:00 EST 2003 6:20am up 4 days, 16:03, 6 users, load average: 0.46, 0.21, 0.20 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- Deliberation, n.: The act of examining one's bread to determine which side it is buttered on. -- Ambrose Bierce, The Devil's Dictionary Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Mon, 20 Jan 2003 16:50:56 +0100 Ralph Slooten [EMAIL PROTECTED] wrote: Not me. I know my mail is scanned automatically on the server for virusses, but I always get a warning, so no, it's not comming though this side. Are you sure it's the mailing-list that he's sending to? I didn't think I'd inferred they were coming thru the list. :-) they're not. This address is only used for maillist traffic, so it was a thought that maybe others on this list were getting them too. My ISP service doesn't do any scanning (says it's the enduser responsibility!!), so I filter everything suspicious elsewhere and take a wee peek now and then. Just as a statistic I've received 170 of these things since 15 December, 87 from the same IP group. I'm not very concerned as there's no chance they'll get executed - no windows in this cabin!! Cheers John Greetings Ralph On Tue, 21 Jan 2003 01:50:00 +1300 John Rye [EMAIL PROTECTED] wrote: While on the subject of trojans etc Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Tue, 21 Jan 2003 09:59:58 +1300 John Rye [EMAIL PROTECTED] wrote: I didn't think I'd inferred they were coming thru the list. :-) they're not. This address is only used for maillist traffic, so it was a thought that maybe others on this list were getting them too. My ISP service doesn't do any scanning (says it's the enduser responsibility!!), so I filter everything suspicious elsewhere and take a wee peek now and then. Just as a statistic I've received 170 of these things since 15 December, 87 from the same IP group. I'm not very concerned as there's no chance they'll get executed - no windows in this cabin!! Cheers John Received one today ;-) How about that. Sorry, I thought you meant to the mailing-list. Try a whois ip, and report it to their ISP, explianing the quantity you are getting. I think that may help. This person sending it to you probably doesn't even know it. Greetings Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Ralph Slooten wrote: On Sat, 18 Jan 2003 18:37:53 -0500 Mark Weaver [EMAIL PROTECTED] wrote: Ralph, have you done the leg work in tracking these connections and reported to the ISP they're coming from yet? That _should_ be the first place to begin. If your theory is correct then the sooner they know about it the better for all concerned all the way around. -- Mark Hi Mark Yeah, I know the ISP and IP and times and ports and so on... I just thought I would alert the list as I figured that the person is probably on this list. Rather they clean their system than get a nasty letter from their ISP, as I'm guessing this trojan is not intential. But to get back to the point, Stephen has just helped me out with the reports, now to see if they respond to it (ISP). Thanks Ralph OK, so this trojan ain't a uk one, how does one go about detecting it ? John -- John Richard Smith [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sun, 2003-01-19 at 20:05, John Richard Smith wrote: OK, so this trojan ain't a uk one, how does one go about detecting it ? John Ralph's been using PortSentry on his box - the port under attack on his box was 635 - and the Portsentry report clearly showed that the infiltrator was an Aussue ISP based dial-up box...but it's under control right now...(at least we hope). Unless you're running a system that ain't been updated in over 2 years, you have nothing to worry about. -- Sun Jan 19 21:05:01 EST 2003 9:05pm up 3 days, 6:48, 4 users, load average: 0.19, 0.34, 0.41 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- The hardest part of climbing the ladder of success is getting through the crowd at the bottom. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On 19 Jan 2003 10:51:14 +1100 Stephen Kuhn [EMAIL PROTECTED] wrote: I've already contacted the ISP locally here - on both of their available addresses. Tomorrow (being Monday for us) I'm going to be in their neighbourhood and will call, and if necessary, stop in with a printed report. I like this stuff. And I love the looks on their faces when ya go waltzing into their offices with print-outs in hand...(and a heavy yank accent to boot) Hehe, you must get a kick out of this Stephen ;-) But thanks again for all the effort. Just to let you know I got another attack about 3 hours ago 61.68.96.127 (I was still sleaping), from the same connect.com.au, so it seems like it's really a once_a_day thing. I just can't work out what the connection is to my computer from this one. I mean maybe this person is trying every day to access my site, but thinks it's offline or something, I really don't know. Maybe the server that's infected has me in it's hosts file, or whatever, but it sucks. I cannot imagine I'm the only one, and so this is a wise move as noone has replied to the initial post yet with it may be me, or I suspect it may be my provider, or sorry, problem discovered, thanks for the warning. I don't know of course for sure if they are on this list, and scanning through all my archived mail for an IP-range isn't my amusement for sundays or any day for that matter ;-) I just took an intelligent guess. Greetings Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sunday 19 January 2003 13:24, Ralph Slooten wrote: I don't know of course for sure if they are on this list, and scanning through all my archived mail for an IP-range isn't my amusement for sundays or any day for that matter ;-) I just took an intelligent guess. Greetings Ralph I just checked my SmoothWall stats, can't find any extraordinary activity there lately. Not like you're getting, anyway. That should get the lists off the hook=:o) Good hunting, Harm Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sun, 19 Jan 2003 14:37:46 + H.J.Bathoorn [EMAIL PROTECTED] wrote: I just checked my SmoothWall stats, can't find any extraordinary activity there lately. Not like you're getting, anyway. That should get the lists off the hook=:o) Good hunting, Harm No connection attemps on port 635 at all? -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Monday 20 Jan 2003 12:51 am, Ralph Slooten wrote: On Sun, 19 Jan 2003 14:37:46 + H.J.Bathoorn [EMAIL PROTECTED] wrote: I just checked my SmoothWall stats, can't find any extraordinary activity there lately. Not like you're getting, anyway. That should get the lists off the hook=:o) Good hunting, Harm No connection attemps on port 635 at all? The following is a third of my logfile. Is this not normal for you folks? Why do so many people get so worried when something shows up. It did, it does and it always will while ever the Script Kiddies that Stephen loves so much are around. From my DI-704P Ethernet Broadband Routers Log: Unrecognized access from 80.146.74.8:1127 to TCP port 57 Unrecognized access from 218.4.51.58:13074 to TCP port 3389 Unrecognized access from 80.13.171.78:1026 to UDP port 137 Unrecognized access from 218.11.116.46:4672 to TCP port 1433 Unrecognized access from 80.116.250.226:64335 to TCP port 22 Unrecognized access from 217.235.138.222:3256 to TCP port 21 Unrecognized access from 207.193.206.164:1026 to UDP port 137 Unrecognized access from 66.238.217.59:24201 to TCP port 3128 Unrecognized access from 64.24.64.125:1026 to UDP port 137 Unrecognized access from 200.24.201.168:4641 to TCP port 515 Unrecognized access from 24.198.51.206:1031 to UDP port 137 Unrecognized access from 203.94.234.230:1028 to UDP port 137 Unrecognized access from 80.232.218.191:1124 to UDP port 137 Unrecognized access from 202.100.212.197:3741 to TCP port 3389 Unrecognized access from 202.100.212.197:3741 to TCP port 3389 Unrecognized access from 68.21.38.181:33383 to TCP port 6346 Unrecognized access from 68.21.38.181:33383 to TCP port 6346 Unrecognized access from 68.21.38.181:33383 to TCP port 6346 Unrecognized access from 66.98.48.119:1031 to UDP port 137 Unrecognized access from 151.202.83.52:1026 to UDP port 137 Unrecognized access from 217.1.174.83:1033 to UDP port 137 Unrecognized access from 202.108.191.98:62551 to TCP port 25 Unrecognized access from 202.108.191.98:62551 to TCP port 25 Unrecognized access from 202.108.191.98:62551 to TCP port 25 Unrecognized access from 196.39.52.51:1025 to UDP port 137 Unrecognized access from 139.130.37.105:2601 to TCP port 1433 Unrecognized access from 200.193.64.88:65000 to UDP port 137 Unrecognized access from 211.184.11.1:4889 to TCP port 22 Unrecognized access from 80.247.76.57:1524 to TCP port 1524 Unrecognized access from 203.107.170.214:1027 to UDP port 137 Unrecognized access from 217.131.65.88:1050 to UDP port 137 Unrecognized access from 62.83.7.110:1025 to UDP port 137 Unrecognized access from 64.2.39.186:3394 to TCP port 445 Unrecognized access from 64.2.39.186:3394 to TCP port 445 Unrecognized access from 64.2.39.186:3394 to TCP port 445 Unrecognized access from 148.231.67.21:1433 to TCP port 443 Unrecognized access from 163.247.40.9:1524 to TCP port 1524 Unrecognized access from 24.129.151.39:1040 to UDP port 137 Unrecognized access from 202.91.160.249:1028 to UDP port 137 Unrecognized access from 81.217.34.91:1026 to UDP port 137 Unrecognized access from 200.153.224.83:1131 to UDP port 137 Unrecognized access from 66.131.76.60:1029 to UDP port 137 Unrecognized access from 80.146.74.8:1127 to TCP port 57 -- Regards Trevor Rhodes === Powered by Linux- Mandrake 9.0 Registered Linux user # 290542 at http://counter.li.org Registered Machine #'s 186951, Source : my 100 % Microsoft-free personal computer. === Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Mon, 20 Jan 2003 01:10:19 +1100 Trevor Rhodes [EMAIL PROTECTED] wrote: The following is a third of my logfile. Is this not normal for you folks? Why do so many people get so worried when something shows up. Why? well just read what I added to almost all your submitted port attacks. Sorry to say this, but this is ignorance. You are being probed from all sides my trojans, and you don't realise it. It did, it does and it always will while ever the Script Kiddies that Stephen loves so much are around. Therse aren't scrip-kiddies, but documented trojans, probably most are from Windows, but like the one I had... Redhat Linux. It's not normal for people to try ftp into you, or fetch mail from your server... but look at the list of trojans... there are many for those 2 ports. From my DI-704P Ethernet Broadband Routers Log: port 137= (UDP) - Bugbear, Msinit, Opaserv, Qaz port 1433 = Voyager Alpha Force port 1524 = Trinoo port 21 = ADM worm, Back Construction, Blade Runner, BlueFire, Bmail, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, FreddyK, Invisible FTP, KWM, MscanWorm, NerTe, NokNok, Pinochet, Ramen, Reverse Trojan, RTB 666, The Flu, WinCrash, Voyager Alpha Force port 22 = InCommand, Shaft, Skun port 25 = Antigen, Barok, BSE, Email Password Sender , Gip, Laocoon, Magic Horse, MBT , Moscow Email trojan, Nimda, Shtirlitz, Stukach, Tapiras, WinPC port 3128 = Reverse WWW Tunnel Backdoor , RingZero port 3389 = nothing I can find port 443= Slapper port 445= Nimda port 515= MscanWorm, Ramen port 6346 = nothing I can find, I believe it's the giFT port Just thought I would let you know ;-) Let's just hope you have the non-logged ports closed ;-) Greetings Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Ralph Slooten wrote: sundays or any day for that matter ;-) I just took an intelligent guess. s.w.a.g. peace out. tc,hago. g . -- think green... save a tree, save a life, save time, save bandwidth, save storage. send email... text/plain - disable pgp/gpg/geek code =+= if you are proud to be an american, then buy made in america. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sunday 19 Jan 2003 1:24 pm, Ralph Slooten wrote: I don't know of course for sure if they are on this list, and scanning through all my archived mail for an IP-range isn't my amusement for sundays or any day for that matter ;-) I just took an intelligent guess. I just wonder if someone is trawling this list. I've had quite a bit of spam over the past 2 days, and I don't usually have that problem. Anne -- Registered Linux User No.293302 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sunday 19 Jan 2003 4:33 pm, Ralph Slooten wrote: On Sun, 19 Jan 2003 16:10:29 + Anne Wilson [EMAIL PROTECTED] wrote: No, not that one. A couple of selling ones, and one saying something like 'I found that site at last' - the sort of thing that always makes me suspicious. I just deleted the sales ones, but took a quick google to see if there were reports of that address spawning viruses etc.. It turned out to be a porn site I think, from the two-liner that google gave me. Anne Anne, please sign up to spamcop.net and report your spams through them. All you have to do is sign up with your e-mail adress, and paste the full spam (including headers) into a text-box, and it'll search for the actual source (where the e-mail originated) and send spam resports to their ISP's Guess I should do. As long as I don't get many I generally just delete them. After all, despite what the media tell us, the internet doesn't *force* you to be stupid, it just invites you ;) Anne -- Registered Linux User No.293302 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sunday 19 January 2003 13:51, Ralph Slooten wrote: On Sun, 19 Jan 2003 14:37:46 + H.J.Bathoorn [EMAIL PROTECTED] wrote: I just checked my SmoothWall stats, can't find any extraordinary activity there lately. Not like you're getting, anyway. That should get the lists off the hook=:o) Good hunting, Harm No connection attemps on port 635 at all? No none that I can find in my logs. Just checked again. HarM Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Hi everyone I use this email address just for this list and have never had any spam I think the span you are getting came from some where else Hope this helps Greg Anne Wilson [EMAIL PROTECTED] wrote: On Sunday 19 Jan 2003 4:33 pm, Ralph Slooten wrote: On Sun, 19 Jan 2003 16:10:29 + Anne Wilson [EMAIL PROTECTED] wrote: No, not that one. A couple of selling ones, and one saying something like 'I found that site at last' - the sort of thing that always makes me suspicious. I just deleted the sales ones, but took a quick google to see if there were reports of that address spawning viruses etc.. It turned out to be a porn site I think, from the two-liner that google gave me. Anne Anne, please sign up to spamcop.net and report your spams through them. All you have to do is sign up with your e-mail adress, and paste the full spam (including headers) into a text-box, and it'll search for the actual source (where the e-mail originated) and send spam resports to their ISP's Guess I should do. As long as I don't get many I generally just delete them. After all, despite what the media tell us, the internet doesn't *force* you to be stupid, it just invites you ;) Anne -- Registered Linux User No.293302 -- Linux The Number one Os __ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sunday 19 Jan 2003 7:49 pm, Greg wrote: Hi everyone I use this email address just for this list and have never had any spam I think the span you are getting came from some where else Hope this helps Greg Anne Wilson [EMAIL PROTECTED] wrote: On Sunday 19 Jan 2003 4:33 pm, Ralph Slooten wrote: On Sun, 19 Jan 2003 16:10:29 + Anne Wilson [EMAIL PROTECTED] wrote: No, not that one. A couple of selling ones, and one saying something like 'I found that site at last' - the sort of thing that always makes me suspicious. I just deleted the sales ones, but took a quick google to see if there were reports of that address spawning viruses etc.. It turned out to be a porn site I think, from the two-liner that google gave me. Anne Anne, please sign up to spamcop.net and report your spams through them. All you have to do is sign up with your e-mail adress, and paste the full spam (including headers) into a text-box, and it'll search for the actual source (where the e-mail originated) and send spam resports to their ISP's Guess I should do. As long as I don't get many I generally just delete them. After all, despite what the media tell us, the internet doesn't *force* you to be stupid, it just invites you ;) You could be right, of course, but I don't leave my address in many places where I would expect to see problems. I tend to avoid posting to usenet, these days, for example, purely because they brought too much spam. Anne -- Registered Linux User No.293302 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sunday 19 January 2003 19:49, Greg wrote: Hi everyone I use this email address just for this list and have never had any spam I think the span you are getting came from some where else Hope this helps Greg I tend to agree there. Spam and probes apparently come in waves. A month back I had quit a bit of spam trouble and half a year back a lot of probes from korean IP's. Lately it's been quiet (knock wood) and I don't mind a bit=:o) Good Luck, HarM Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
The following is a third of my logfile. Is this not normal for you folks? Why do so many people get so worried when something shows up. Why? well just read what I added to almost all your submitted port attacks. Sorry to say this, but this is ignorance. You are being probed from all sides my trojans, and you don't realise it. I asked if it was normal and I asked why people get so worried. What I meant by the second part that I probably didn't explain as well as I could have was why people worry so much if they have their firewalls setup to block those ports. Asking the question I asked in itself implies that I don't know something and I'm trying to find out. Whether or not you are a newbie to linux like myself or an expert I don't know. From the information you gave me I'd expect you are someone quite knowledgeable about linux. If this is true, then help me by all means, but it would brighten my day no end if you would desist with the use of the word 'ignorance'. Therse aren't scrip-kiddies, but documented trojans, probably most are from Windows, but like the one I had... Redhat Linux. It's not normal for people to try ftp into you, or fetch mail from your server... but look at the list of trojans... there are many for those 2 ports. With the firewall setup and blocking those ports (I certainly hope it is) aren't I just getting a logfile full of attempted probes? From my DI-704P Ethernet Broadband Routers Log: port 137 = (UDP) - Bugbear, Msinit, Opaserv, Qaz port 1433 = Voyager Alpha Force port 1524 = Trinoo port 21 = ADM worm, Back Construction, Blade Runner, BlueFire, Bmail, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, FreddyK, Invisible FTP, KWM, MscanWorm, NerTe, NokNok, Pinochet, Ramen, Reverse Trojan, RTB 666, The Flu, WinCrash, Voyager Alpha Force port 22 = InCommand, Shaft, Skun port 25 = Antigen, Barok, BSE, Email Password Sender , Gip, Laocoon, Magic Horse, MBT , Moscow Email trojan, Nimda, Shtirlitz, Stukach, Tapiras, WinPC port 3128 = Reverse WWW Tunnel Backdoor , RingZero port 3389 = nothing I can find port 443 = Slapper port 445 = Nimda port 515 = MscanWorm, Ramen port 6346 = nothing I can find, I believe it's the giFT port Just thought I would let you know ;-) Let's just hope you have the non-logged ports closed ;-) I know I'm about to open up a can of worms here, but can we not let it get out of control people. Ok, here goes. Is there a 'decent' online security site that could check my ports? Properly? -- Regards Trevor Rhodes === Powered by Linux- Mandrake 9.0 Registered Linux user # 290542 at http://counter.li.org Registered Machine #'s 186951, Source : my 100 % Microsoft-free personal computer. === Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sunday 19 January 2003 21:18, Trevor Rhodes wrote: I know I'm about to open up a can of worms here, but can we not let it get out of control people. Ok, here goes. Is there a 'decent' online security site that could check my ports? Properly? Why not do it yourself using nmap(fe) or let somebody you trust do it? Most of those sites would scare me s**tless if I'd have had a Winders-box. If you like FUD at it's best just dive in there=:o) Good Luck, HarM Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
HarM, Why not do it yourself using nmap(fe) or let somebody you trust do it? Caus'n I wouldn't know what the hell I was doin!!! :^) Could you explain nmap(fe) for me? Where? What? etc. Most of those sites would scare me s**tless if I'd have had a Winders-box. If you like FUD at it's best just dive in there=:o) Would I be right in assuming that you think they would make out things are worse than they actually are, just to get me to buy their product? :^) Then how would that equate to them telling me I had a score of 0 which is perfect? Is my security better than perfect or they don't want my business. hehe Trust? Who can I trust? I'm liable to pick the wrong person. Story of my life. -- Regards Trevor Rhodes === Powered by Linux- Mandrake 9.0 Registered Linux user # 290542 at http://counter.li.org Registered Machine #'s 186951, Source : my 100 % Microsoft-free personal computer. === Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Trojan alert - Australian IP (connect.com.au)
Hiya all again, My webserver is running portsentry, and has, on a daily basis been blocking and banning all connection attemps from an Australian IP, running on the connect.com.au network. -= Reason for the block =- Port-scanning on port 635 -= What is relevance is Port 635 =- Name: ADM worm Aliases: ADM Inet w0rm, Linux.ADM.Worm, Ports: 21, 23, 37, 53, 70, 79, 109, 110, 111, 113, 143, 513, 514, 635, 31337 Files: Admw0rm-v1.tar.gz - 7,427 bytes Admw0rm.tgz - Admw0rm - 1,725 bytes Gimmeip - 545 bytes Gimmerand.c - 314 bytes Incremental - 765 bytes Named_admv2.c - 5,892 bytes Remotecmd.c - 4,098 bytes Scanconnect.c - 1,483 bytes Startup - 670 bytes Testvuln.c - 4,299 bytes Created: May 1998 Requires: Actions: Worm / Rootkit / Backdoor Registers: Notes: Works on Unix (Linux). Affects Linux RedHat 4.0 to 5.2 I'm presuming this is a dial-up system, as there aren't too many Linux systems running those old versions of Redhat, but it maybe someone's server or something. My guess is that it's someone on this list trying to access my webserver http://axljab.homelinux.org:8080/ on a daily basis, as it's some coincedence that I get 1 block every day from the same network. IP: Well, there is no real point in publicising the IP, as every day it's different (hence the dial-up theory), but in total about 75% of all my blocks / bans come from the connect.com.au network. It doesn't bother me, but it may be bothering you as I'm sure my server won't be the only one blocking/banning all connections from you, so the better option is to find and get rid of this problem. Please, if any of you are on this network, and suspect you may be infected, or are just worried if it's you, contact me (privately), and we can see if we can find a solution for this. As to the security breach of this trojan, I'm not sure. But it's not good anyway, considering it's a trojan ;-) Look, I may be wrong, as it may be the ISP itself, but before I alert them, I think you guys concerned should maybe have a browse around and check it ain't you. Thanks Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sun, 2003-01-19 at 03:34, Ralph Slooten wrote: Hiya all again, My webserver is running portsentry, and has, on a daily basis been blocking and banning all connection attemps from an Australian IP, running on the connect.com.au network. Ha! It ain't me! (g) -= Reason for the block =- Port-scanning on port 635 -= What is relevance is Port 635 =- Name: ADM worm Aliases: ADM Inet w0rm, Linux.ADM.Worm, Ports: 21, 23, 37, 53, 70, 79, 109, 110, 111, 113, 143, 513, 514, 635, 31337 Files: Admw0rm-v1.tar.gz - 7,427 bytes Admw0rm.tgz - Admw0rm - 1,725 bytes Gimmeip - 545 bytes Gimmerand.c - 314 bytes Incremental - 765 bytes Named_admv2.c - 5,892 bytes Remotecmd.c - 4,098 bytes Scanconnect.c - 1,483 bytes Startup - 670 bytes Testvuln.c - 4,299 bytes Created: May 1998 Requires: Actions: Worm / Rootkit / Backdoor Registers: Notes: Works on Unix (Linux). Affects Linux RedHat 4.0 to 5.2 Whoever is running RH 4 - 5.2 surely ain't done any of the security updates/upgrades... I'm presuming this is a dial-up system, as there aren't too many Linux systems running those old versions of Redhat, but it maybe someone's server or something. My guess is that it's someone on this list trying to access my webserver http://axljab.homelinux.org:8080/ on a daily basis, as it's some coincedence that I get 1 block every day from the same network. After looking at http://www.connect.com.au, I'd reckon this person is on a dial up as well - because if they were using ADSL, they'd have a helluva time getting RH 4 - 5.2 to work on it... IP: Well, there is no real point in publicising the IP, as every day it's different (hence the dial-up theory), but in total about 75% of all my blocks / bans come from the connect.com.au network. It doesn't bother me, but it may be bothering you as I'm sure my server won't be the only one blocking/banning all connections from you, so the better option is to find and get rid of this problem. Mate, have you considered reporting the IP to administration at Connect.com.au? Because being that this is against their Acceptable User Policy, whoever the culprit is would be sent a nasty email from them stating that there's a problem on their machine...ya reckon? Please, if any of you are on this network, and suspect you may be infected, or are just worried if it's you, contact me (privately), and we can see if we can find a solution for this. As to the security breach of this trojan, I'm not sure. But it's not good anyway, considering it's a trojan ;-) All trojans are bad - and this is how ancient bugs are kept alive to this day. This affects the entire online community and community members should do their best to alert the culprit in a nice manner... Look, I may be wrong, as it may be the ISP itself, but before I alert them, I think you guys concerned should maybe have a browse around and check it ain't you. Mate, if YOU don't want to alert them, I'll be more than happy to both write them and call them (they're in my state - even though they're a sad ISP - but gives me someone to yell at)...ha! -- Sun Jan 19 07:15:01 EST 2003 7:15am up 2 days, 16:58, 4 users, load average: 0.10, 0.21, 0.18 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- I have no doubt that it is a part of the destiny of the human race, in its gradual improvement, to leave off eating animals. -- Thoreau Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On 19 Jan 2003 07:24:00 +1100 Stephen Kuhn [EMAIL PROTECTED] wrote: Mate, if YOU don't want to alert them, I'll be more than happy to both write them and call them (they're in my state - even though they're a sad ISP - but gives me someone to yell at)...ha! Thanks dude, Sent you the reports privately (shame, it seems that they don't have a good name already hehehe). Any help would be great ;-) Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sun, 2003-01-19 at 07:55, Ralph Slooten wrote: On 19 Jan 2003 07:24:00 +1100 Stephen Kuhn [EMAIL PROTECTED] wrote: Mate, if YOU don't want to alert them, I'll be more than happy to both write them and call them (they're in my state - even though they're a sad ISP - but gives me someone to yell at)...ha! Thanks dude, Sent you the reports privately (shame, it seems that they don't have a good name already hehehe). Any help would be great ;-) Ralph Mate, there are a few things I like to pitch a bitch about; 1.) Spending too much money 2.) Hacks/Viruses/Trojans 3.) Giving money to the US 4.) Script Kiddies and Wanna-be-hackers 5.) Whinging POM's or Whinging Yanks 6.) GWB's Politics 7.) Whinging POM's or Whinging Yanks 8.) Spending too much money 9.) Badly written programs and drivers (or support for either) 10.) How to raise kids properly Being that this falls within my fave realm of Bitch Pitching, I'll find enjoyment in seeking a resolution to the issue. For any POM's and Yanks that have a whinge, /dev/null (g) -- Sun Jan 19 07:55:00 EST 2003 7:55am up 2 days, 17:38, 4 users, load average: 0.20, 0.30, 0.25 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- The SAME WAVE keeps coming in and COLLAPSING like a rayon MUU-MUU ... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sat, 2003-01-18 at 15:03, Stephen Kuhn wrote: For any POM's and Yanks that have a whinge, /dev/null I think I speak for all the americans on the list when I say...HUH??? -- Jason Guidry [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sun, 2003-01-19 at 09:51, Jason Guidry wrote: On Sat, 2003-01-18 at 15:03, Stephen Kuhn wrote: For any POM's and Yanks that have a whinge, /dev/null I think I speak for all the americans on the list when I say...HUH??? Being an American living in Australia, and soon to be an Australian as well as an American, I've come to learn in the past 20 some odd years that Americans generally don't have a clue as to what life is like outside of America, and when Joe Sixpack and his wife are outside of familiar territory - i.e., American Soil, they are generally whinging and whining about living standards, economies and generally everything else that ISN'T America - hence I redirect to /dev/null. POM's just whinge - no matter what, hence I redirect to /dev/null (G) ...All in good fun - at least I can laugh about being an American. -- Sun Jan 19 09:55:00 EST 2003 9:55am up 2 days, 19:38, 4 users, load average: 0.06, 0.52, 0.56 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- Yow! And then we could sit on the hoods of cars at stop lights! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On 18 Jan 2003 16:51:54 -0600 Jason Guidry [EMAIL PROTECTED] wrote: On Sat, 2003-01-18 at 15:03, Stephen Kuhn wrote: For any POM's and Yanks that have a whinge, /dev/null I think I speak for all the americans on the list when I say...HUH??? Hehe, I knew this would happen LOL. Stephen you started it again, lmoa :D But the point of this toppic is missed already. Jason, you ain't on the australian network I mentioned, so that's cool ;-) Let me rephrase the above sentence to: cat connect.com.au:635 /dev/null ... just to save 4000 replies ;-) Greetings Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sat, 18 Jan 2003 18:37:53 -0500 Mark Weaver [EMAIL PROTECTED] wrote: Ralph, have you done the leg work in tracking these connections and reported to the ISP they're coming from yet? That _should_ be the first place to begin. If your theory is correct then the sooner they know about it the better for all concerned all the way around. -- Mark Hi Mark Yeah, I know the ISP and IP and times and ports and so on... I just thought I would alert the list as I figured that the person is probably on this list. Rather they clean their system than get a nasty letter from their ISP, as I'm guessing this trojan is not intential. But to get back to the point, Stephen has just helped me out with the reports, now to see if they respond to it (ISP). Thanks Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Ralph Slooten wrote: Hiya all again, My webserver is running portsentry, and has, on a daily basis been blocking and banning all connection attemps from an Australian IP, running on the connect.com.au network. -= Reason for the block =- Port-scanning on port 635 -= What is relevance is Port 635 =- Name: ADM worm Aliases: ADM Inet w0rm, Linux.ADM.Worm, Ports: 21, 23, 37, 53, 70, 79, 109, 110, 111, 113, 143, 513, 514, 635, 31337 Files: Admw0rm-v1.tar.gz - 7,427 bytes Admw0rm.tgz - Admw0rm - 1,725 bytes Gimmeip - 545 bytes Gimmerand.c - 314 bytes Incremental - 765 bytes Named_admv2.c - 5,892 bytes Remotecmd.c - 4,098 bytes Scanconnect.c - 1,483 bytes Startup - 670 bytes Testvuln.c - 4,299 bytes Created: May 1998 Requires: Actions: Worm / Rootkit / Backdoor Registers: Notes: Works on Unix (Linux). Affects Linux RedHat 4.0 to 5.2 I'm presuming this is a dial-up system, as there aren't too many Linux systems running those old versions of Redhat, but it maybe someone's server or something. My guess is that it's someone on this list trying to access my webserver http://axljab.homelinux.org:8080/ on a daily basis, as it's some coincedence that I get 1 block every day from the same network. IP: Well, there is no real point in publicising the IP, as every day it's different (hence the dial-up theory), but in total about 75% of all my blocks / bans come from the connect.com.au network. It doesn't bother me, but it may be bothering you as I'm sure my server won't be the only one blocking/banning all connections from you, so the better option is to find and get rid of this problem. Please, if any of you are on this network, and suspect you may be infected, or are just worried if it's you, contact me (privately), and we can see if we can find a solution for this. As to the security breach of this trojan, I'm not sure. But it's not good anyway, considering it's a trojan ;-) Look, I may be wrong, as it may be the ISP itself, but before I alert them, I think you guys concerned should maybe have a browse around and check it ain't you. Thanks Ralph Ralph, have you done the leg work in tracking these connections and reported to the ISP they're coming from yet? That _should_ be the first place to begin. If your theory is correct then the sooner they know about it the better for all concerned all the way around. -- Mark --- Paid for by Penguins against modern appliances(R) Linux User Since 1996 Powered by Mandrake Linux 8.2 9.0 ICQ# 27816299 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sun, 2003-01-19 at 10:37, Mark Weaver wrote: have you done the leg work in tracking these connections and reported to the ISP they're coming from yet? That _should_ be the first place to begin. If your theory is correct then the sooner they know about it the better for all concerned all the way around. I've already contacted the ISP locally here - on both of their available addresses. Tomorrow (being Monday for us) I'm going to be in their neighbourhood and will call, and if necessary, stop in with a printed report. I like this stuff. And I love the looks on their faces when ya go waltzing into their offices with print-outs in hand...(and a heavy yank accent to boot) -- Sun Jan 19 10:45:00 EST 2003 10:45am up 2 days, 20:28, 4 users, load average: 0.02, 0.02, 0.00 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- Nine megs for the secretaries fair, Seven megs for the hackers scarce, Five megs for the grads in smoky lairs, Three megs for system source; One disk to rule them all, One disk to bind them, One disk to hold the files And in the darkness grind 'em. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sat, 18 Jan 2003 18:43:54 -0500 Mark Weaver [EMAIL PROTECTED] wrote: Ralph, Thats something I've not yet done. Just exactly how does one do that to an incoming connection. I'd be real interested to learn. -- Mark Well, I use portsentry (http://www.psionic.com/products/portsentry.html), which basically watches the incomming connections, and if certain ports are accessed, then it drops all connections (on any port) from that IP. Give it a try, as it works great. I am presuming here you use iptables for your firewall? Whether you use firestarter or have an iptables script it doesn't matter, portsentry overrides it all with a block. The idea behind it is to block hackers, like when they portscan you to check what's open, or trojans from spreading info / data. I have a script that sends me an email with every attack. Actually while I'm writing this, I just got another attempt, but this one is from Canada (yeah, who is it?!?): Date: Sun, 19 Jan 2003 00:49:35 +0100 (CET) Portscan on 635 detected from 216.208.52.104 Blocking all connections from host Log History === Jan 19 00:49:33 axljab portsentry[25540]: attackalert: Connect from host: HSE-Kitchener-ppp78693.sympatico.ca/216.208.52.104 to TCP port: 635 Jan 19 00:49:33 axljab portsentry[25540]: attackalert: Host 216.208.52.104 has been blocked via wrappers with string: ALL: 216.208.52.104 Jan 19 00:49:33 axljab portsentry[25540]: attackalert: Host 216.208.52.104 has been blocked via dropped route using command: /sbin/iptables -I INPUT -s 216.208.52.104 -j DROP Whois Report: = OrgName:Bell Canada OrgID: LINX NetRange: 216.208.0.0 - 216.209.255.255 CIDR: 216.208.0.0/15 NetName:BELLCANADA-4 NetHandle: NET-216-208-0-0-1 Parent: NET-216-0-0-0-0 NetType:Direct Allocation NameServer: NS3.BELLGLOBAL.COM NameServer: NS4.BELLGLOBAL.COM Comment:ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate:1999-03-12 Updated:1999-09-10 TechHandle: PD135-ARIN TechName: Daoust, Philippe TechPhone: +1-800-450-7771 TechEmail: [EMAIL PROTECTED] OrgTechHandle: SYSAD1-ARIN OrgTechName: Sys Admin OrgTechPhone: +1-613-785-0886 OrgTechEmail: [EMAIL PROTECTED] Hope this helps Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sat, 2003-01-18 at 17:01, Ralph Slooten wrote: On 18 Jan 2003 16:51:54 -0600 Jason Guidry [EMAIL PROTECTED] wrote: On Sat, 2003-01-18 at 15:03, Stephen Kuhn wrote: For any POM's and Yanks that have a whinge, /dev/null I think I speak for all the americans on the list when I say...HUH??? Hehe, I knew this would happen LOL. Stephen you started it again, lmoa :D But the point of this toppic is missed already. Jason, you ain't on the australian network I mentioned, so that's cool ;-) Let me rephrase the above sentence to: cat connect.com.au:635 /dev/null ... just to save 4000 replies ;-) Greetings Ralph -- http://tuxpower.f2g.net/ http://axljab.homelinux.org:8080/ I have opinions of my own, strong opinions, but I don't always agree with them. - George H. W. Bush Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Well! I never! Oh, actually I did once but not in public and that was only with a small audience. There were no repercussions and I did get a better room and living conditions for all the effort. We Americii's know how to whine. I was so successful that after the gulf war I was there to help rebuild Kuwait and whined hard enough that I got a room on the tenth floor with a spectacular view. Of course the elevators didn't work and the AC would quit when the generator ran out of fuel.: ) Dennis M. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
On Sun, 2003-01-19 at 10:53, Dennis Myers wrote: Well! I never! Oh, actually I did once but not in public and that was only with a small audience. There were no repercussions and I did get a better room and living conditions for all the effort. We Americii's know how to whine. I was so successful that after the gulf war I was there to help rebuild Kuwait and whined hard enough that I got a room on the tenth floor with a spectacular view. Of course the elevators didn't work and the AC would quit when the generator ran out of fuel.: ) Dennis M. Hehehehehe...did you have a personal private sauna and hot tub as well? (g) -- Sun Jan 19 11:10:00 EST 2003 11:10am up 2 days, 20:53, 4 users, load average: 0.07, 0.17, 0.09 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | -- linux user:267497 * RH 8.0 * PC/Mac/Linux/Networking/Consulting -- It's a brave man who, when things are at their darkest, can kick back and party! -- Dennis Quaid, Inner Space Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Trojan alert - Australian IP (connect.com.au)
Ralph Slooten wrote: On 18 Jan 2003 16:51:54 -0600 Jason Guidry [EMAIL PROTECTED] wrote: On Sat, 2003-01-18 at 15:03, Stephen Kuhn wrote: For any POM's and Yanks that have a whinge, /dev/null I think I speak for all the americans on the list when I say...HUH??? Hehe, I knew this would happen LOL. Stephen you started it again, lmoa :D But the point of this toppic is missed already. Jason, you ain't on the australian network I mentioned, so that's cool ;-) Let me rephrase the above sentence to: cat connect.com.au:635 /dev/null ... just to save 4000 replies ;-) Greetings Ralph Ralph, Thats something I've not yet done. Just exactly how does one do that to an incoming connection. I'd be real interested to learn. -- Mark --- Paid for by Penguins against modern appliances(R) Linux User Since 1996 Powered by Mandrake Linux 8.2 9.0 ICQ# 27816299 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
