Howdy - my apologies in advance for my ignorance of TDS 's functions.

I've been having trouble the last couple of days with system.exe continually trying to connecting to IANA, as logged by my firewall. The folks over at the firewall's forum helped eliminate a lot of possibilities, then suggested that I might have a Trojan attemtping to execute a DoS attack from my machine. What a great time to evaluate TDS-3!

Almost immediately, TDS identifed one item:
DDoS.RAT.SDBot in C:\WINNT\System32\STDE9.exe

Being an extreme newbie, I did the intuitive thing, right-clicked on the item at the bottom of the TDS panel, and chose "Delete".

Then I ran a Full scan again - no alarms this time. Then I manually updated the radius database :P

Here's the problem (assuming I did not create more problems in my haste): the connection attempts are still occurring (one every minute or so). Another "quick scan" and "process memory scan" showed nothing - but I see there are other scans that can be performed.

I would greatly appreciate any help that can be offered.

Thanks
Optigrab

Hi,

A good time to look at Port Explorer too, which will show you exactly WHAT is making those connections

From the TDS Process List, please kill that system.exe process immediately, to me it sounds like a GT Bot - mIRC based trojan which is script based. These are tricky to detect sometimes, but the major culprit is the EXE file, probably that system.exe. It will be listening on port 113 and connected to an IRC server, probably on port 6667 (remote)

Please send a copy of that file to gavin@diamondcs.com.au and I'll let you know anything more I can after seeing it :)

Hello Optigrab, and welcome,
not a nice situation yet.
In the system analyses > processlist, do you see suspicious processes which need killing?
Same area > Autostart explorer, suspicious registry keys which need deletion?
Under the other tabs, in the system files and windows startup links, anything else?

If you're on XP, is it an option for you to go back to a former system restore -- disable system restore -- reboot -- enable system restore if you're clean (you might like to scan first) and make manually a new system restore point?

And i think of using Port Explorer to look at and kill suspicious connections.

*Edited; hi Gavin, had not seen you posting in the meantime :) *

Thank you very much for the kind replies Gavin & Jooske, but I don't believe I've made any progress yet. I will be calling it quits for the evening at any moment, but I though a few screenshots would help...
(1) "Caught in the act"

I would really like you to get Port Explorer
www.diamondcs.con.au/portexplorer free evaluation version, reboot after install and when the process comes back add the PID to the socket spy list and look at the data packets, and which program files have to do with it; you can disable all traffic and kill the connection/process itself; you might like to look in today's new version at more specific info about the process and specialties.
There simply mast be more which made it restarting again.

I don't see it in the screenshots yet, except for the one your firewall caught and i wonder about a few things more, investigating first.
In the autostart explorer, is there nothing suspicious in the startup folders tab?

Hope you located and sent the system.exe file (zipped if possible please) to gavin, which might unveil some actions and other files belonging to the nasty which Gavin will tell you asap.

Once at the DCS site anyway, also get the Autostartviewer (free tools)
Check all options and save the log as a txt which you can post to see if there are illegal things starting.

Hi Jooske

Installed portexplorer; I couldn't identify anything obvious. Saw two processes called system, PID 0 and PID 8. PID 0 couldn't be added to the socket spy, PID 8 could, but again no suspicious activity as far as I could tell.

As far as system.exe, windows explorer can't find any file. See attached screen shot

Regards

Hi optigrab

In regards to your earlier screenshot "caughtintheact", that is nothing to worry about. Just a blocked inbound DHCP broadcast.

Regards,

CrazyM

Ho Optigrab, Looking at your first screenshot from outpost - Isn't the 10.***.**.*** IP address a local address i.e not routable over yhe Internet or have I missed something? ;D

A *SYSTEM 0 is a socket. It should be part of an application which system.exe should be if that is the one.
If you see it in the TDS scan alerts, you can rightclick and look where it is in the full path info. Then you just press submit and it is sent to the TDS lab.
Make sure all hidden files are shown too in windows.
If there is any kind of connection to the outside world, somehow it must be possible to get info about it, what it is, whois connected, ports, etc.

Hi Pilli

-{ Quote: " quoting: Pilli link=board=5;threadid=13619;start=0#msg86861 date=1063285018]Ho Optigrab, Looking at your first screenshot from outpost - Isn't the 10.***.**.*** IP address a local address i.e not routable over yhe Internet or have I missed something? ;D
" }-

With some ISP's, in particular cable from posts I have seen, it is not unusual to see a private IP associated with DHCP broadcasts on their network.

Regards,

CrazyM

CrazyM, Thanks for the clarification I think :-\

Thanks for the input Jooske, CrazyM, and Pilli

CrazyM: I have trouble discerning "inbound" vs "outbound" attempts reading my firewall's log, however I've assumed they're outgoing (?).

Here is another screenshot that leads me to believe this is not normal. Note that the attempts appear in the "Allowed" log when I check the "Allow outgoing DHCP" rule, but appear in the "Blocked" log when the rule is unchecked.

BTW, I'm n a cable modem, Win2k. There's not much more info I can send until after work (d'oh!).

P.S., I hope to get this all sorted out, hopefully with the kind assistace of the members of this board. I'm willing to learn and be patient. But I have to ask, what are the odds that something like this can't be sorted out short of reformatting? Good, bad, fair?

Regards,
Optigrab

Interesting, I googled this link about bootps:
http://lists.jammed.com/vuln-dev/2001/05/0071.html - I am still non the wiser :-[

-{ Quote: " quoting: optigrab link=board=5;threadid=13619;start=0#msg86886 date=1063294470]
CrazyM: I have trouble discerning "inbound" vs "outbound" attempts reading my firewall's log, however I've assumed they're outgoing (?)." }-

The first screenshot "caughtintheact" showed a blocked inbound.

-{ Quote: "Here is another screenshot that leads me to believe this is not normal." }-

That allowed DHCP traffic in your last screenshot, while alot, appears normal. Any idea what happened at 9:29:40 pm? It appears you lost your IP and you can see your system going through the process of getting a new one.

-{ Quote: "Note that the attempts appear in the "Allowed" log when I check the "Allow outgoing DHCP" rule, but appear in the "Blocked" log when the rule is unchecked." }-

That would make sense if checked = rule enabled, unchecked = rule disabled. You will need to leave your DHCP rule enabled, without it you will loose your IP (and why you would see the attempts to get one in the blocked log).

Regards,

CrazyM

-{ Quote: " quoting: Pilli link=board=5;threadid=13619;start=0#msg86900 date=1063296851]Interesting, I googled this link about bootps:
http://lists.jammed.com/vuln-dev/2001/05/0071.html - I am still non the wiser :-[ " }-

"The Bootstrap Protocol (BOOTP) [RFC951] describes an IP/UDP bootstrap protocol (BOOTP) which allows a diskless client machine to discover its own IP address, the address of a server host, and the name of a file to be loaded into memory and executed. The Dynamic Host Configuration Protocol (DHCP) [RFC1531] provides a framework for automatic configuration of IP hosts." from iana.org

With Bootp/DHCP traffic you will usually see:
Bootps -> Bootstrap Protocol Server (port 67)
Bootpc -> Bootstrap Protocol Client (port 68)

Is that what you were after?

Regards,

CrazyM

Hi CrazyM

-{ Quote: "That allowed DHCP traffic in your last screenshot, while alot, appears normal. Any idea what happened at 9:29:40 pm? It appears you lost your IP and you can see your system going through the process of getting a new one." }-

I assumed it was not normal because (1) Exery minute seems excessive to a newbie (me). (2) When "allowed" over extended periods (twice, recently), the firewall twice nearly locked up; I presumed :P because of all the logging ??? - anyway, that's what you see... the firewall stopped logging at 3pm (PC unattended) until I shut down the firewall and rebooted at 9:29pm. (3) The folks at the firewall forum seemed to think it was not normal.

That said, I'd be pleased if it turned out I had nothing to worry about.

Still seeking advice,
Optigrab

:D Cheers CrazyM

Hi optigrab

I took a quick look at the post in the other forum. From your screenshot of ipconfig your lease time is 24hrs for your public IP. So you might reasonably expect to see lease renewal attempts (DHCP traffic) after 12hrs. This renewal of your public IP may be handled by your cable modem as those public IP's are not showing in the logs you have posted here.

What is showing in your logs/screenshots posted here involves an IP in a private range, 10.46.64.1, which I suspect has something to do with your cable provider.

Perhaps you should give your ISP tech support a call. See how this private range is used within their network, how it relates to your cable modem, what traffic would there be between your modem and system, and what may account for this traffic. This could be normal or could be a problem with something like your cable modem.

You mention having to shut down the firewall and reboot. Why?

Regards,

CrazyM

Hi CrazyM

Will contact my ISP, and will report back here in either case.

And thanks again to you, CrazyM, et al -- These forums are really great because of the opportunity to learn and because there are really some awfully nice folks.

Regards

Optigrab ;D

Just for the record, there is no system.exe - SYSTEM is the OS itself and is NOT a file. If it was, it would be Kernel32.dll and others :)

That's why i thought when it was named it was a trojan by that name. Not any doubt, not a single moment, so a possitive id of that would have been logical and have triggered the "send to Gavin" button immediately.

Hello CrazyM, Jooske, Gavin, et al:

I have determined that the connections are INCOMING.

I must now squeeze a response out of my Cable ISP (New York City RoadRunner) as to why 10.46.64.1 must connect every minute. I suspect it is handling IP leasing/renewal in lieu of the ISP's DHCP server - but the frequency of the connections seems absurd.

I am relieved that my machine appears to be clean according to TDS and NOD32. Thanks to TDS-3 for detecting DDoS.RAT.SDBot - it seems that that particualar infection is unrelated to the connection attempts that have been troubling me.

Many, many thanks. ;D