Re: is my pc being used to launch DoS attacks ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tarquinlinbin wrote:

> On Tue, 30 Mar 2004 15:13:48 -0800, "Kevin" <>
> wrote:
>
>>You shouldn't be seeing any connect attempts at all. The router should be
>>rendering your system invisible. Go to www.dslreports.com and use their
>>tools to run a port scan on your machine. You want your machine to be
>>completely stealthy. I don't have a router but I do have DSL modem and I
>>use Zone Alarm Pro as my firewall. When I run the port scan test from
>>dlsreports I always find my machine totally stealthy and undetected. Have
>>you sent email to the abuse department at the website these attacks are
>>originating from?
>>
> I'm not an expert but the connect attempts appear to be outgoing from
> my pc rather than incoming!!,thats what worries me!

It could be a root kit. I can't see how else flow-controlled packets are
being sent from inside the router sock_stream unless someone has made
changes to your system.
Is the outgoing packet flow constant?







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAa2oxEdeTYUmVmnYRAuJHAKDUWME9EZRHN6tB3CE75O wgnWDrNQCg+kTA
Y/Ypg0Cfx79DAtbvg9zR8g4=
=PtaH
-----END PGP SIGNATURE-----

Tommy

On Wed, 31 Mar 2004 20:02:40 -0500, Tommy <> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>tarquinlinbin wrote:
>
>> On Tue, 30 Mar 2004 15:13:48 -0800, "Kevin" <>
>> wrote:
>>
>>>You shouldn't be seeing any connect attempts at all. The router should be
>>>rendering your system invisible. Go to www.dslreports.com and use their
>>>tools to run a port scan on your machine. You want your machine to be
>>>completely stealthy. I don't have a router but I do have DSL modem and I
>>>use Zone Alarm Pro as my firewall. When I run the port scan test from
>>>dlsreports I always find my machine totally stealthy and undetected. Have
>>>you sent email to the abuse department at the website these attacks are
>>>originating from?
>>>
>> I'm not an expert but the connect attempts appear to be outgoing from
>> my pc rather than incoming!!,thats what worries me!
>
>It could be a root kit. I can't see how else flow-controlled packets are
>being sent from inside the router sock_stream unless someone has made
>changes to your system.
>Is the outgoing packet flow constant?

There has been something insidious going on,,,

A few weeks ago i found my pc trying to make outgoing connects to
www.chronopay.com which i beleive is a legitamate e-commerce company.
It was the same pattern, a continual outgoing stream of connect
attempts continually trying consecutive port numbers. My firewall was
blocking the outgoing traffic on each port so it tried another and
another etc etc. AFAIK nothing escaped. I had an email supposedly
from someone at chronopay who said that someone was attempting to use
other pcs to launch DoS attacks on them,,this was in response to a
newsgroup query that i posted on the subject. The email may have been
fake,i dont know. That episode seemed to be linked to
www.truerecords.biz in some way. Because my pc was fully engaged in
using the firewall to prevent to outgoing attempts,it ran really
slow!!.

The latest seems to be linked with a running process called oriani.exe
which i have since killed and deleted becuase i think it is malicious
,also i found flash.exe and i deleted that. These items seemed to be
linked to these outgoing attacks on www.siberia.ur.ru . Again it was
trying on many consecutively numbered ports one after another and
failing.

My greatest concern is that oriani.exe and flash.exe and other items
are linked to these episodes. My concern is ,how did these items get
installed on my pc? . The only link is the internet. I suspect that
there really must be a backdoor trojan buried deep in my system which
is not being flagged by any of my security products. I've ran NIS full
scans, adaware,trojan remover,ive ran remote scans for virus on
symantecs website,ive ran several port probes etc. Quite a while ago
NIS flagged a file infected with backdoor.smother. I felt at the time
that this was a false trigger. Again i have no clue as to how it would
get onto my system. I dont use outlook express becuasse of its
insecurities, i really dont know what else i can do!!. I cant decide
whether there is a real issue or whether im going mad!!. The issue
remains, i n recent past i had noted spurious running processes which
sem linked to mutliport otgoing connect attempts to

a www.truerecords.biz
b www.chronopay.com
c www.siberia.ur.ru

It seems all i can do is continue to monitor and see what happens!
>
>
>
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (FreeBSD)
>
>iD8DBQFAa2oxEdeTYUmVmnYRAuJHAKDUWME9EZRHN6tB3CE75 OwgnWDrNQCg+kTA
>Y/Ypg0Cfx79DAtbvg9zR8g4=
>=PtaH
>-----END PGP SIGNATURE-----

tarquinlinbin

Do you use Internet Explorer? What are its security settings?

--

************************************************

g-w


"tarquinlinbin" <> wrote in message
news:...
> On Wed, 31 Mar 2004 20:02:40 -0500, Tommy <> wrote:
>
>
> A few weeks ago i found my pc trying to make outgoing connects to
> www.chronopay.com which i beleive is a legitamate e-commerce company.
> It was the same pattern, a continual outgoing stream of connect
> attempts continually trying consecutive port numbers. My firewall was
> blocking the outgoing traffic on each port so it tried another and
> another etc etc. AFAIK nothing escaped. I had an email supposedly
> from someone at chronopay who said that someone was attempting to use
> other pcs to launch DoS attacks on them,,this was in response to a
> newsgroup query that i posted on the subject. The email may have been
> fake,i dont know. That episode seemed to be linked to
> www.truerecords.biz in some way. Because my pc was fully engaged in
> using the firewall to prevent to outgoing attempts,it ran really
> slow!!.
>
> The latest seems to be linked with a running process called oriani.exe
> which i have since killed and deleted becuase i think it is malicious
> ,also i found flash.exe and i deleted that. These items seemed to be
> linked to these outgoing attacks on www.siberia.ur.ru . Again it was
> trying on many consecutively numbered ports one after another and
> failing.
>
> My greatest concern is that oriani.exe and flash.exe and other items
> are linked to these episodes. My concern is ,how did these items get
> installed on my pc? . The only link is the internet. I suspect that
> there really must be a backdoor trojan buried deep in my system which
> is not being flagged by any of my security products. I've ran NIS full
> scans, adaware,trojan remover,ive ran remote scans for virus on
> symantecs website,ive ran several port probes etc. Quite a while ago
> NIS flagged a file infected with backdoor.smother. I felt at the time
> that this was a false trigger. Again i have no clue as to how it would
> get onto my system. I dont use outlook express becuasse of its
> insecurities, i really dont know what else i can do!!. I cant decide
> whether there is a real issue or whether im going mad!!. The issue
> remains, i n recent past i had noted spurious running processes which
> sem linked to mutliport otgoing connect attempts to
>
> a www.truerecords.biz
> b www.chronopay.com
> c www.siberia.ur.ru
>
> It seems all i can do is continue to monitor and see what happens!
> >
> >
> >
> >
> >
> >
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.2.4 (FreeBSD)
> >
> >iD8DBQFAa2oxEdeTYUmVmnYRAuJHAKDUWME9EZRHN6tB3CE75 OwgnWDrNQCg+kTA
> >Y/Ypg0Cfx79DAtbvg9zR8g4=
> >=PtaH
> >-----END PGP SIGNATURE-----
>

kulm_nd

On Thu, 01 Apr 2004 13:08:38 GMT, "kulm_nd" <> wrote:

>Do you use Internet Explorer? What are its security settings?
Currently set to medium ,all updates except sp1 (!). Also i ran spybot
and got a list of stuff,very worrying really,purged the lot. I've also
changed all the passwords on the accounts on my pc and i dont log on
as admin. I feel ive done all i can do now and its a case of wait and
see.

If i have these problems with all the work i do to try and secure my
system, god help all those who are complete novices..

joe

tarquinlinbin

> Currently set to medium ,all updates except sp1 (!). Also i ran spybot
> and got a list of stuff,very worrying really,purged the lot.

If you are relying on something like Spybot, then you
are not looking for the "packer" that is on your machine.
Spybot and AdAware seem oblivious to the virus container
that gets downloaded, and then "unpacks" launching the
viruses it contains. Something I've noticed about this
newsgroup is that I can NEVER get a dialog going on
this subject. That says only one thing to me. Most of
the people who post here are not security experts at
all, or they would have experience in spotting where
these things reside. I have found them in a 2nd recycle
bin ... in the system32 folder ... in the Sys Vol Info folder
.... in a weirdly named folder in the windows directory
.... So, what you need to do is stop talking to these guys
who are pretending to be security people, and go learn
about what I'm saying. First do a search on recent
files, and then look where they are. You will spot the
packer. Take your system off line, or it will bring itself
down again, and then look at the oddball processes
running, and make a list. Delete the weird stuff, and note
which processes don't come back. That is how you will
find this thing. And one thing is for sure. That packer
came right through your firewall with no problem.
Are you maybe running Bargain Buddy or some kind
of scumware that you think is safe? ... like AIM ?

> If i have these problems with all the work i do to try and secure my
> system, god help all those who are complete novices..

The best security system out there by far is a simple virus
scanner and a big hard drive with a Disk Imaging and
recovery program ... and a slow modem rather than DSL.
All the beginners are doing that, and as a result they are
a lot safer than the types who are running all this firewall
stuff without realizing that most of the writers of these
programs have quit supporting them because they are
so easy to hack. They invite it. I recommend a combo
of McAffee and PowerQuest DiskImage2002. Then
you are fairly safe.

johns

johns

kulm_nd wrote:

>Do you use Internet Explorer? What are its security settings?

Does it matter? IE will blissfully run anything it's told to, if you
use XP.

Micheal Robert Zium

It matters as you said, he probably is having his IE run things on his
system through scripts. I use IE only when a site makes it necessary.

--

************************************************

g-w


"Micheal Robert Zium" <> wrote in message
news:1104291800.419ee210@spam-sucks...
> kulm_nd wrote:
>
> >Do you use Internet Explorer? What are its security settings?
>
> Does it matter? IE will blissfully run anything it's told to, if you
> use XP.
>

kulm_nd