«

clark.m4.ntu.edu.tw

I tried a whois server and didnt get much info on it. Can anyone help
shedding some light on this address.

Computer connects to it after dialling up, found out via 'netstat' but
doesnt actually do anything .. just times out. This is after I cleared out a
Spybot Worm from the computer. Before cleaning it, I had a list as long as
... well .. a really really long thing via 'netstat'

Rider

On Wed, 02 Mar 2005 17:08:15 +1300, Rider wrote:

> clark.m4.ntu.edu.tw
>
> I tried a whois server and didnt get much info on it. Can anyone help
> shedding some light on this address.
>
> Computer connects to it after dialling up, found out via 'netstat' but
> doesnt actually do anything .. just times out. This is after I cleared out a
> Spybot Worm from the computer. Before cleaning it, I had a list as long as
> .. well .. a really really long thing via 'netstat'
>
> Rider

ew..
that address resolves to 140.112.214.93 (as you probably already know)
which is in the range for
netname: T-NTU.EDU.TW-NET
descr: Ministry of Education Computer Center
descr: 2F, No 106, Sec.2,Hping E. Rd.,
descr: Taipei Taiwan
(which you probably already also knew)
Im curious which port on that machine ( the .edu.tw machine) connected to
port 80's closed

HTH

--

Hardware, n.: The parts of a computer system that can be kicked

"Shane (aka froggy)" <> wrote in message
news. ..
> On Wed, 02 Mar 2005 17:08:15 +1300, Rider wrote:
>
>> clark.m4.ntu.edu.tw
>>
>> I tried a whois server and didnt get much info on it. Can anyone help
>> shedding some light on this address.
>>
>> Computer connects to it after dialling up, found out via 'netstat' but
>> doesnt actually do anything .. just times out. This is after I cleared
>> out a
>> Spybot Worm from the computer. Before cleaning it, I had a list as long
>> as
>> .. well .. a really really long thing via 'netstat'
>>
>> Rider
>
> ew..
> that address resolves to 140.112.214.93 (as you probably already know)
> which is in the range for
> netname: T-NTU.EDU.TW-NET
> descr: Ministry of Education Computer Center
> descr: 2F, No 106, Sec.2,Hping E. Rd.,
> descr: Taipei Taiwan
> (which you probably already also knew)
> Im curious which port on that machine ( the .edu.tw machine) connected to
> port 80's closed
>
> HTH
>

Cheers for that, bit odd ... the infected file was named 'TFTP1376' .... no
extension. There was also a TFTP1175 with no extension so I deleted it even
though it wasnt infected.

The interesting thing for all those AVG fans, is that AVG was completely
upto date and never found the Spybot Worm. This is why I'm not a fan of
AVG.

Rider

"Rider" <> wrote in message
news:sgbVd.5792$...
>
> "Shane (aka froggy)" <> wrote in
message
> news. ..
> > On Wed, 02 Mar 2005 17:08:15 +1300, Rider wrote:
> >
> >> clark.m4.ntu.edu.tw
> >>
> >> I tried a whois server and didnt get much info on it. Can anyone help
> >> shedding some light on this address.
> >>
> >> Computer connects to it after dialling up, found out via 'netstat' but
> >> doesnt actually do anything .. just times out. This is after I cleared
> >> out a
> >> Spybot Worm from the computer. Before cleaning it, I had a list as long
> >> as
> >> .. well .. a really really long thing via 'netstat'
> >>
> >> Rider
> >
> > ew..
> > that address resolves to 140.112.214.93 (as you probably already know)
> > which is in the range for
> > netname: T-NTU.EDU.TW-NET
> > descr: Ministry of Education Computer Center
> > descr: 2F, No 106, Sec.2,Hping E. Rd.,
> > descr: Taipei Taiwan
> > (which you probably already also knew)
> > Im curious which port on that machine ( the .edu.tw machine) connected
to
> > port 80's closed
> >
> > HTH
> >
>
> Cheers for that, bit odd ... the infected file was named 'TFTP1376' ....
no
> extension. There was also a TFTP1175 with no extension so I deleted it
even
> though it wasnt infected.
>
> The interesting thing for all those AVG fans, is that AVG was completely
> upto date and never found the Spybot Worm. This is why I'm not a fan of
> AVG.

Virus scanners can't compare to a good Trojan Hunter. Try Trojanhunter from
mischel. Diamond Port Explorer is another good tool.

On Wed, 2 Mar 2005 17:27:04 +1300, "Rider"
<> wrote:

>
>"Shane (aka froggy)" <> wrote in message
>news ...
>> On Wed, 02 Mar 2005 17:08:15 +1300, Rider wrote:
>>
>>> clark.m4.ntu.edu.tw
>>>
>>> I tried a whois server and didnt get much info on it. Can anyone help
>>> shedding some light on this address.
>>>
>>> Computer connects to it after dialling up, found out via 'netstat' but
>>> doesnt actually do anything .. just times out. This is after I cleared
>>> out a
>>> Spybot Worm from the computer. Before cleaning it, I had a list as long
>>> as
>>> .. well .. a really really long thing via 'netstat'
>>>
>>> Rider
>>
>> ew..
>> that address resolves to 140.112.214.93 (as you probably already know)
>> which is in the range for
>> netname: T-NTU.EDU.TW-NET
>> descr: Ministry of Education Computer Center
>> descr: 2F, No 106, Sec.2,Hping E. Rd.,
>> descr: Taipei Taiwan
>> (which you probably already also knew)
>> Im curious which port on that machine ( the .edu.tw machine) connected to
>> port 80's closed
>>
>> HTH
>>
>
>Cheers for that, bit odd ... the infected file was named 'TFTP1376' .... no
>extension. There was also a TFTP1175 with no extension so I deleted it even
>though it wasnt infected.

Tiny FTP perhaps http://filext.com/info/printthread.php?t=10

>The interesting thing for all those AVG fans, is that AVG was completely
>upto date and never found the Spybot Worm. This is why I'm not a fan of
>AVG.
>
>Rider

In article <sgbVd.5792$>,
says...
>
> The interesting thing for all those AVG fans, is that AVG was completely
> upto date and never found the Spybot Worm. This is why I'm not a fan of
> AVG.
>
> Rider
>

LOL. I just changed from Norton to AVG because Norton didn't find a bug
on my system but AVG did .... what really had me scratching my head was
the fact that the virus had been posted on Sophos in November '04 and
Norton didn't know about it until I submitted it around the end of
January and they recognized it as off February 11th (which is when they
got back to me about it anyway).

Not exactly on the ball there ...
... but ultimately I guess nobody can be, all of the time.

-Peter

Hi,

I have the name of clark.m4.ntu.edu.tw:19899 appeared on 'netstat'
result of my server also. I suspected that my server got infected
with a worm. Can anyone help identifying which kind of worm on my
server? I did research on the W32.Spybot.Worm from
http://securityresponse.symantec.com...ybot.worm.html
There was no matching technical detail found on my server.

Pamorn


"Shane (aka froggy)" <> wrote in message news:< >...
> On Wed, 02 Mar 2005 17:08:15 +1300, Rider wrote:
>
> > clark.m4.ntu.edu.tw
> >
> > I tried a whois server and didnt get much info on it. Can anyone help
> > shedding some light on this address.
> >
> > Computer connects to it after dialling up, found out via 'netstat' but
> > doesnt actually do anything .. just times out. This is after I cleared out a
> > Spybot Worm from the computer. Before cleaning it, I had a list as long as
> > .. well .. a really really long thing via 'netstat'
> >
> > Rider
>
> ew..
> that address resolves to 140.112.214.93 (as you probably already know)
> which is in the range for
> netname: T-NTU.EDU.TW-NET
> descr: Ministry of Education Computer Center
> descr: 2F, No 106, Sec.2,Hping E. Rd.,
> descr: Taipei Taiwan
> (which you probably already also knew)
> Im curious which port on that machine ( the .edu.tw machine) connected to
> port 80's closed
>
> HTH

<> wrote in message
news:...
> On Wed, 2 Mar 2005 17:27:04 +1300, "Rider"
> <> wrote:
>
>>
>>"Shane (aka froggy)" <> wrote in
>>message
>>news m...
>>> On Wed, 02 Mar 2005 17:08:15 +1300, Rider wrote:
>>>
>>>> clark.m4.ntu.edu.tw
>>>>
>>>> I tried a whois server and didnt get much info on it. Can anyone help
>>>> shedding some light on this address.
>>>>
>>>> Computer connects to it after dialling up, found out via 'netstat' but
>>>> doesnt actually do anything .. just times out. This is after I cleared
>>>> out a
>>>> Spybot Worm from the computer. Before cleaning it, I had a list as long
>>>> as
>>>> .. well .. a really really long thing via 'netstat'
>>>>
>>>> Rider
>>>
>>> ew..
>>> that address resolves to 140.112.214.93 (as you probably already know)
>>> which is in the range for
>>> netname: T-NTU.EDU.TW-NET
>>> descr: Ministry of Education Computer Center
>>> descr: 2F, No 106, Sec.2,Hping E. Rd.,
>>> descr: Taipei Taiwan
>>> (which you probably already also knew)
>>> Im curious which port on that machine ( the .edu.tw machine) connected
>>> to
>>> port 80's closed
>>>
>>> HTH
>>>
>>
>>Cheers for that, bit odd ... the infected file was named 'TFTP1376' ....
>>no
>>extension. There was also a TFTP1175 with no extension so I deleted it
>>even
>>though it wasnt infected.
>
> Tiny FTP perhaps http://filext.com/info/printthread.php?t=10
>

Yeah I thought it might be an FTP program, but couldnt find any indications
they had one loaded. And I dont think they had time to load one as it was a
clean install ... they managed to get infected 3 hours after picking up the
computer

LoL

"Peter Huebner" <> wrote in message
news: .co.nz...
> In article <sgbVd.5792$>,
> says...
>>
>> The interesting thing for all those AVG fans, is that AVG was completely
>> upto date and never found the Spybot Worm. This is why I'm not a fan of
>> AVG.
>>
>> Rider
>>
>
> LOL. I just changed from Norton to AVG because Norton didn't find a bug
> on my system but AVG did .... what really had me scratching my head was
> the fact that the virus had been posted on Sophos in November '04 and
> Norton didn't know about it until I submitted it around the end of
> January and they recognized it as off February 11th (which is when they
> got back to me about it anyway).
>
> Not exactly on the ball there ...
> ... but ultimately I guess nobody can be, all of the time.
>
> -Peter

And to an extent I agree with you, but I've had up to date AVG systems
before that have been wiped out by viruses. The prevalence of AVG missing
stuff is far higher than Norton ... in my experience anyway.

Rider

On Thu, 03 Mar 2005 08:53:30 +1300, Rider wrote:

>
> <> wrote in message
> news:...
>> On Wed, 2 Mar 2005 17:27:04 +1300, "Rider"
>> <> wrote:
>>
>>>
>>>"Shane (aka froggy)" <> wrote in
>>>message
>>>news om...
>>>> On Wed, 02 Mar 2005 17:08:15 +1300, Rider wrote:
>>>>
>>>>> clark.m4.ntu.edu.tw
>>>>>
>>>>> I tried a whois server and didnt get much info on it. Can anyone help
>>>>> shedding some light on this address.
>>>>>
>>>>> Computer connects to it after dialling up, found out via 'netstat' but
>>>>> doesnt actually do anything .. just times out. This is after I cleared
>>>>> out a
>>>>> Spybot Worm from the computer. Before cleaning it, I had a list as long
>>>>> as
>>>>> .. well .. a really really long thing via 'netstat'
>>>>>
>>>>> Rider
>>>>
>>>> ew..
>>>> that address resolves to 140.112.214.93 (as you probably already know)
>>>> which is in the range for
>>>> netname: T-NTU.EDU.TW-NET
>>>> descr: Ministry of Education Computer Center
>>>> descr: 2F, No 106, Sec.2,Hping E. Rd.,
>>>> descr: Taipei Taiwan
>>>> (which you probably already also knew)
>>>> Im curious which port on that machine ( the .edu.tw machine) connected
>>>> to
>>>> port 80's closed
>>>>
>>>> HTH
>>>>
>>>
>>>Cheers for that, bit odd ... the infected file was named 'TFTP1376' ....
>>>no
>>>extension. There was also a TFTP1175 with no extension so I deleted it
>>>even
>>>though it wasnt infected.
>>
>> Tiny FTP perhaps http://filext.com/info/printthread.php?t=10
>>
>
> Yeah I thought it might be an FTP program, but couldnt find any indications
> they had one loaded. And I dont think they had time to load one as it was a
> clean install ... they managed to get infected 3 hours after picking up the
> computer
>
> LoL

I had a look on google for that TFTP1376 and found only 3 hits.. all
talking about worms (in germany and russia)
although that other file you mentioned didnt come back.. it was a safe bet
it was more of the same
--

Hardware, n.: The parts of a computer system that can be kicked