Extremely odd thing with Giganews DMCA?

I posted this to alt.privacy this AM. I got an e-mail that I should repost it
here. Hope nobody minds.



I was reading APAS a few minutes ago via Giganews.

A message popped up on the screen asking me about transferring bookmarks. I
looked at the taskbar and saw it was Firefox. I assumed it was asking me if I
wanted to transfer my IE bookmarks to it. Neither IE or Firefox were running
at the time.

I answered the popup with OK. Next, Firefox opened up the following page:
http://www.giganews.com/dmca.html

The only things running at the time were Mercury, OE, and News Agent.

Grisoft AVG, MS Antispyware, and PGP were running in tray.

I should add that the PC is behind a cable modem and a Netgear wireless router
though directly connected to the router.

Has anyone else had this happen? I am not now or ever have posted or
downloaded any copyrighted materials. I have had this account with them for
about 1 1/2 years.

How in the heck did that happen? I checked my Firefox bookmarks and sure
enough, it looks like it transferred my IE bookmarks into it. But the page I
referred to that popped up was not one of the bookmarked pages.

I should add that this is a new PC. I have only set it up this weekend so
there are very few bookmarks. It is a Dell with XP Pro and the way it was
shipped included Dell bookmarks. The Dell bookmarks got transferred to
Firefox. That is how I know for sure it was Firefox asking to transfer
bookmarks.

Anybody have any clues as to what fired things off? Kind of scarey. I would
hate to think that Giganews can control Firefox on this PC. Should I dump
Firefox? Is there some exploit in it? I installed Firefox because I thought it
was secure. How the heck could it be remotely turned on? Remember, it wasn't
running at the time. It was remotely started by someone else.

Could it be I got a trojan? Don't know how. Everything on this PC (not much)
is legit software. Nothing strange.

Really wondering what the heck is going on? How? Why that page? Makes me
nervous as all get out.

AVG has completed a test of everything without finding anything.

Regards,
roadburner

roadburner

From: "roadburner" <roadburner^at^comcast^dot^net>

| I posted this to alt.privacy this AM. I got an e-mail that I should repost it
| here. Hope nobody minds.
|
| I was reading APAS a few minutes ago via Giganews.
|
| A message popped up on the screen asking me about transferring bookmarks. I
| looked at the taskbar and saw it was Firefox. I assumed it was asking me if I
| wanted to transfer my IE bookmarks to it. Neither IE or Firefox were running
| at the time.
|
| I answered the popup with OK. Next, Firefox opened up the following page:
| http://www.giganews.com/dmca.html
|
| The only things running at the time were Mercury, OE, and News Agent.
|
| Grisoft AVG, MS Antispyware, and PGP were running in tray.
|
| I should add that the PC is behind a cable modem and a Netgear wireless router
| though directly connected to the router.
|
| Has anyone else had this happen? I am not now or ever have posted or
| downloaded any copyrighted materials. I have had this account with them for
| about 1 1/2 years.
|
| How in the heck did that happen? I checked my Firefox bookmarks and sure
| enough, it looks like it transferred my IE bookmarks into it. But the page I
| referred to that popped up was not one of the bookmarked pages.
|
| I should add that this is a new PC. I have only set it up this weekend so
| there are very few bookmarks. It is a Dell with XP Pro and the way it was
| shipped included Dell bookmarks. The Dell bookmarks got transferred to
| Firefox. That is how I know for sure it was Firefox asking to transfer
| bookmarks.
|
| Anybody have any clues as to what fired things off? Kind of scarey. I would
| hate to think that Giganews can control Firefox on this PC. Should I dump
| Firefox? Is there some exploit in it? I installed Firefox because I thought it
| was secure. How the heck could it be remotely turned on? Remember, it wasn't
| running at the time. It was remotely started by someone else.
|
| Could it be I got a trojan? Don't know how. Everything on this PC (not much)
| is legit software. Nothing strange.
|
| Really wondering what the heck is going on? How? Why that page? Makes me
| nervous as all get out.
|
| AVG has completed a test of everything without finding anything.
|
| Regards,
| roadburner

For non-viral malware...

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

For viral malware...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

On Mon, 19 Sep 2005 17:31:30 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

Snipped
>
>For non-viral malware...
>
>Please download, install and update the following software...
>
>Ad-aware SE v1.06
>http://www.lavasoft.de/
>http://www.lavasoftusa.com/
>
>SpyBot Search and Destroy v1.4
>http://security.kolla.de/
>
>After the software is updated, I suggest scanning the system in Safe Mode.
>
>For viral malware...
>
>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
>remove viruses, Trojans and various other malware.
>
>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>This will bring up the initial menu of choices and should be executed in Normal Mode. This
>way all the components can be downloaded from each AV vendor’s web site.
>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
>You can choose to go to each menu item and just download the needed files or you can
>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>file.
>
>To use this utility, perform the following...
>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>Choose; Unzip
>Choose; Close
>
>Execute; C:\AV-CLS\StartMenu.BAT
>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>
>NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
>FireWall to allow it to download the needed AV vendor related files.
>
>* * * Please report back your results * * *

I'll do it tonight when I get home and report back. Thanks so much. I hadn't
thought of that. I use S&D and Adaware on my other PCs, but this was a new PC
and I didn't think to install those 2 tools.

MULTI_AV.EXE is one I never heard of. Thanks so very much for bringing it to
my attention.

I normally keep my PCs locked down so tight that nothing ever gets through.
Over 13 years on the Internet and many years before beginning with a TRS80, I
have never had any experiences like this. Never had a virus or anything else.
So please excuse me if I seem to have gotten excited. Just something I never
experienced before. It is very troubling to me.

Another troubling thing is a discussion I had about it with another engineer.
I work in real time process control and he works in the networking, Level 2 or
data collection side of things.

He has a NAT router on his home PC. He has 2 children. One of the kids did an
"adoption" of an animal on the net. Not a real animal, just a schooling
project. So each night his daughter has to take care of her adopted cyberspace
animal. As a joke, the other sister asked her Dad to block the site for a
practical joke. He pinged the site, got the IP, and blocked it in his NAT
router. Then he tested his work with Firefox. It took a while, but the site
came up in Firefox. (This guy is our networking expert with over 20 years
experience). The he logged on to her account and was still able to access the
site though some of it was blocked. We are both starting to think Firefox is
the root cause.

Mine is a pretty bare bones system, only a few dedicated and trusted programs
on it. It is destined to sit and execute certain privacy related software such
as a Tor node. Switching between it and the main computer is done by a USB KVM
switch. On the dedicated computer, file and printer sharing is off.

If I can't find the source or a good explanation, I'll reformat and reinstall
the OS.

Once again, may extend my most sincere thanks to you for your suggestions
which I will follow to the letter.

My warmest regards,
roadburner

roadburner

On Mon, 19 Sep 2005 15:06:46 -0400, roadburner <roadburner^at^comcast^dot^net>
wrote:

Forgot to mention that mcaffee is offered free to comcast subscribers of which
I am one. I'll install it tonight too.

Regards,
roadburner

roadburner

From: "roadburner" <roadburner^at^comcast^dot^net>


|
| I'll do it tonight when I get home and report back. Thanks so much. I hadn't
| thought of that. I use S&D and Adaware on my other PCs, but this was a new PC
| and I didn't think to install those 2 tools.
|
| MULTI_AV.EXE is one I never heard of. Thanks so very much for bringing it to
| my attention.
|
| I normally keep my PCs locked down so tight that nothing ever gets through.
| Over 13 years on the Internet and many years before beginning with a TRS80, I
| have never had any experiences like this. Never had a virus or anything else.
| So please excuse me if I seem to have gotten excited. Just something I never
| experienced before. It is very troubling to me.
|
| Another troubling thing is a discussion I had about it with another engineer.
| I work in real time process control and he works in the networking, Level 2 or
| data collection side of things.
|
| He has a NAT router on his home PC. He has 2 children. One of the kids did an
| "adoption" of an animal on the net. Not a real animal, just a schooling
| project. So each night his daughter has to take care of her adopted cyberspace
| animal. As a joke, the other sister asked her Dad to block the site for a
| practical joke. He pinged the site, got the IP, and blocked it in his NAT
| router. Then he tested his work with Firefox. It took a while, but the site
| came up in Firefox. (This guy is our networking expert with over 20 years
| experience). The he logged on to her account and was still able to access the
| site though some of it was blocked. We are both starting to think Firefox is
| the root cause.
|
| Mine is a pretty bare bones system, only a few dedicated and trusted programs
| on it. It is destined to sit and execute certain privacy related software such
| as a Tor node. Switching between it and the main computer is done by a USB KVM
| switch. On the dedicated computer, file and printer sharing is off.
|
| If I can't find the source or a good explanation, I'll reformat and reinstall
| the OS.
|
| Once again, may extend my most sincere thanks to you for your suggestions
| which I will follow to the letter.
|
| My warmest regards,
| roadburner

I wrote the Multi AV scanning tool. It is a scripted front end to the Trend Micro Sysclean
utility and for the McAfee and Sophos Command Line Scanner. I saw a need to to help those
infected so I wrote the tool to be as useful as possible. I am always willing to accept
feedback for future improvements or enhancements.

Realize that there *may* be multiple IP addresses associated to the web site you blocked
(such as via DyDNS -- http://www.dydns.com/ ). So if the IP changes, the blocking is
ineffectual. The question would what if you blocked the alias (URL) such as
www.furryanimals.cyberspace.com ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

From: "roadburner" <roadburner^at^comcast^dot^net>

| On Mon, 19 Sep 2005 15:06:46 -0400, roadburner <roadburner^at^comcast^dot^net>
| wrote:
|
| Forgot to mention that mcaffee is offered free to comcast subscribers of which
| I am one. I'll install it tonight too.
|
| Regards,
| roadburner

The FREE version of McAfee is the retail version. It is tied to IE and and does not include
the McAfee Command Line Scanner that is downloaded and used in my Multi AV Scanning Tool
which has been programmed to run aggressively.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

On Mon, 19 Sep 2005 19:41:05 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

Snipped
>
>I wrote the Multi AV scanning tool. It is a scripted front end to the Trend Micro Sysclean
>utility and for the McAfee and Sophos Command Line Scanner. I saw a need to to help those
>infected so I wrote the tool to be as useful as possible. I am always willing to accept
>feedback for future improvements or enhancements.
>
>Realize that there *may* be multiple IP addresses associated to the web site you blocked
>(such as via DyDNS -- http://www.dydns.com/ ). So if the IP changes, the blocking is
>ineffectual. The question would what if you blocked the alias (URL) such as
>www.furryanimals.cyberspace.com ?


I thought of that one to ask him. He will double check it. He thinks not
because only a very short time elapsed between him blocking and testing. The
site would had have to go offline for a bit to get assigned a new address.

I registered a new domain with DyDNS and subscribed to the service. Though my
IP has stayed fixed for the 1 1/2 years I have had cable, who knows. There was
nothing in writing that said I would have a fixed IP.

I should have added that I am a bit of a privacy buff. The new PC will be
dedicated to running a Tor node. Likewise, type 1 and 2 remailers. That was
why I was running Mercury. As I think about it more, I had port forwarded 25
for Mercury mail and 9001 and 9030 for the Tor node in the Netgear router.

I had the Tor node setup on my primary computer at 198.168.0.2. The primary
computer has a Symatecs firewall which only allowed connection through 9001
and 9030 to Tor at 198.168.0.2.

When I reconfigured the network, I set the new PC as 198.168.0.2, the primary
as 3, and the laptop as 4. I had not installed a software firewall yet.

Possible I could have left myself open for an attack through those ports. In
the little over a month I had been operating a Tor node, the firewall logs
showed the Tor ports came under attack. The firewall was configured to
automatically close connections on a persistent attack which the logs show it
did on 3 occasions. All Tor nodes, their IPs and their open Dirports and
Orports are shown at: http://tinyurl.com/898o9

Now I am wondering if I got "hacked" into. Possibility I guess.

Very nice of you to take the time to write the scanning tool. I'll put it to
use.

Regards,
roadburner

roadburner

From: "roadburner" <roadburner^at^comcast^dot^net>


|
| I thought of that one to ask him. He will double check it. He thinks not
| because only a very short time elapsed between him blocking and testing. The
| site would had have to go offline for a bit to get assigned a new address.
|
| I registered a new domain with DyDNS and subscribed to the service. Though my
| IP has stayed fixed for the 1 1/2 years I have had cable, who knows. There was
| nothing in writing that said I would have a fixed IP.
|
| I should have added that I am a bit of a privacy buff. The new PC will be
| dedicated to running a Tor node. Likewise, type 1 and 2 remailers. That was
| why I was running Mercury. As I think about it more, I had port forwarded 25
| for Mercury mail and 9001 and 9030 for the Tor node in the Netgear router.
|
| I had the Tor node setup on my primary computer at 198.168.0.2. The primary
| computer has a Symatecs firewall which only allowed connection through 9001
| and 9030 to Tor at 198.168.0.2.
|
| When I reconfigured the network, I set the new PC as 198.168.0.2, the primary
| as 3, and the laptop as 4. I had not installed a software firewall yet.
|
| Possible I could have left myself open for an attack through those ports. In
| the little over a month I had been operating a Tor node, the firewall logs
| showed the Tor ports came under attack. The firewall was configured to
| automatically close connections on a persistent attack which the logs show it
| did on 3 occasions. All Tor nodes, their IPs and their open Dirports and
| Orports are shown at: http://tinyurl.com/898o9
|
| Now I am wondering if I got "hacked" into. Possibility I guess.
|
| Very nice of you to take the time to write the scanning tool. I'll put it to
| use.
|
| Regards,
| roadburner

I looked at that log but I couldn't gleam anything from it.

Posting the URL of that log in a FireWall News Group may be helpful.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

On Mon, 19 Sep 2005 20:40:52 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "roadburner" <roadburner^at^comcast^dot^net>
>
>
>|
>| I thought of that one to ask him. He will double check it. He thinks not
>| because only a very short time elapsed between him blocking and testing. The
>| site would had have to go offline for a bit to get assigned a new address.
>|
>| I registered a new domain with DyDNS and subscribed to the service. Though my
>| IP has stayed fixed for the 1 1/2 years I have had cable, who knows. There was
>| nothing in writing that said I would have a fixed IP.
>|
>| I should have added that I am a bit of a privacy buff. The new PC will be
>| dedicated to running a Tor node. Likewise, type 1 and 2 remailers. That was
>| why I was running Mercury. As I think about it more, I had port forwarded 25
>| for Mercury mail and 9001 and 9030 for the Tor node in the Netgear router.
>|
>| I had the Tor node setup on my primary computer at 198.168.0.2. The primary
>| computer has a Symatecs firewall which only allowed connection through 9001
>| and 9030 to Tor at 198.168.0.2.
>|
>| When I reconfigured the network, I set the new PC as 198.168.0.2, the primary
>| as 3, and the laptop as 4. I had not installed a software firewall yet.
>|
>| Possible I could have left myself open for an attack through those ports. In
>| the little over a month I had been operating a Tor node, the firewall logs
>| showed the Tor ports came under attack. The firewall was configured to
>| automatically close connections on a persistent attack which the logs show it
>| did on 3 occasions. All Tor nodes, their IPs and their open Dirports and
>| Orports are shown at: http://tinyurl.com/898o9
>|
>| Now I am wondering if I got "hacked" into. Possibility I guess.
>|
>| Very nice of you to take the time to write the scanning tool. I'll put it to
>| use.
>|
>| Regards,
>| roadburner
>
>I looked at that log but I couldn't gleam anything from it.
>
>Posting the URL of that log in a FireWall News Group may be helpful.

It is not a log but a listing of active Tor nodes. For instance:

router rfc1149 81.56.47.149 9001 0 9030

Router name: rfc1149
IP address: 81.56.47.149
Open Tor ports: 9001 & 9030

Basically, when we run a Tor node, we tell the world our IPs and which ports
we have open for Tor connections. The rest are our keys, used by other nodes,
and what IP addresses and ports are open or blocked by our Exit Policies.

For instance if you were surfing the net through Tor and Privoxy, the IP
address that shows up at the site you visit would be one of ours. Tor was
first developed by the US Navy. Now it is sponsored by the EEF. The US
security agencies are known to use our network nodes to disguise their own IPs
when they visit certain questionable websites or chat in some chatroom.
Basically, it is a free privacy service with volunteer operators and open to
anyone. There are about 250 operators worldwide and an estimated 10,000 users
of the service.

I think what I'll do at this point is just reformat and reinstall the OS. It
will probably take less time. Like I mentioned, I only have a few programs on
it that can easily be re-installed. Since I won't be using that PC for
anything else, I'll lock it down tighter than a drum.

Fortunately, I had nothing on it yet, like my PGP Keyrings or Tor secret keys.
I was just in the process of setting it up so everything else resides on a USB
stick (in my shirt pocket) right now. Happy I didn't finish it without the
firewall.

Because of the sensitive nature of encryption keys, I think I'll just be safe
rather than take a chance. I'll set it all up while disconnected from the
Internet.

Thanks for everything, you have been most helpful.

My warmest regards,
roadburner

roadburner

"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

>From: "roadburner" <roadburner^at^comcast^dot^net>


.....
>|
>| Another troubling thing is a discussion I had about it with another engineer.
>| I work in real time process control and he works in the networking, Level 2 or
>| data collection side of things.
>|
>| He has a NAT router on his home PC. He has 2 children. One of the kids did an
>| "adoption" of an animal on the net. Not a real animal, just a schooling
>| project. So each night his daughter has to take care of her adopted cyberspace
>| animal. As a joke, the other sister asked her Dad to block the site for a
>| practical joke. He pinged the site, got the IP, and blocked it in his NAT
>| router. Then he tested his work with Firefox. It took a while, but the site
>| came up in Firefox. (This guy is our networking expert with over 20 years
>| experience). The he logged on to her account and was still able to access the
>| site though some of it was blocked. We are both starting to think Firefox is
>| the root cause.
>|

How could it be Firefox? If the firewall blocks the packet, firefox never
sees it to do anything with it.
I locked the door to my house, and my vacuum cleaner still picks up outside
dirt from the living room carpet. Must be something to do with the vacuum cleaner.

It is probably some redirection. Ie, the IP address he thought it was at is
not the actual responding IP address. Ie some of the pages get redirected.

And why in the world her dad thought this was a reasonable "practical joke"
is beyond me. Does he give her empty boxes for Christmas presents as well?

Unruh