Suspicious After Test Site

Discussion in 'malware problems & news' started by Rickster, Jun 19, 2002.

Thread Status:
Not open for further replies.
  1. Rickster

    Rickster Guest

    o_O I hadn’t used PCFlank in a while and ran the gambit. One (targa3) made my program turn unresponsive – easily got out and that was that. Later a netstat showed I was connected to their IP (not the case after I left - always netstat after surfing). Killed that socket, ran AV scan – nothing. Ran a full TDS3 scan and turned up two new hidden ADS “mailto” streams – one tracing to a series of AOL mail relays and other to an office near Hong Kong. Killed these - rescanned, good – rebooted & rescanned, good.

    Picked up a spy there. Can preclude other sources since it That visist was right after I updated and fully checked the system, it was clean. The magical connection to their IP and finding these hidden streams is suspicious. Got to respect the power of TDS. Wouldn’t have found the little snoops without it. Is it possible someone found a way to use their site as vehicle? Or likely a remnant in one of the exploits used for testing? Either way, it didn't fool TDS3.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Rickster,

    When stating "targa3", are you referring to the "browser test"? If so: just tried to duplicate your findings - no problems or suspicious connections.

    regards.

    paul
     
  3. Rickster

    Rickster Guest

    Hi. Specifically the exploits test. There's a list to test some or all. Always did get a system hang on targa3 - nothing new there. Ran every test however, so can't say what part of the site, or one of the exploits would be a culprit. Be curious if you can duplicate it. The hidden streams were found in:

    c:\(Renamed TDS)\mailto:entesquire@AOL.com

    That was a series of STMP mail relays, the other I failed to write down - but will next time.

    This wouldn't explain why the connection to their IP cropped up though. At a loss to know, having found nothing other than those streams Could have been some kind of fluke - but it got my attention. Thanks
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Just ran all test (passed, grin) - no connections to their IP running both netstat and Netstat-X (separate app).

    regards.

    paul
     
  5. Rickster

    Rickster Guest

    Appreciate your checking. Might follow-up later though, bear in mind I was clear after the visit too until some six hours later - and hadn't connected to the net in the interim. Might check for NTSF alernate data steams too. Thanks again.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I'll keep an eye on it, thanks. Keep us posted in case you can reproduce all this! ;)

    regards.

    paul
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For less knowledgeable people, as you seem to know all test sites, is it possible to mention an URL so people can try to do some testing on their own systems too? thanks a lot in advance!
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Oops..! Apologies Jooske and all :rolleyes:

    www.pcflank.com

    regards.

    paul
     
  9. Rickster

    Rickster Guest

    Couldn’t duplicate it. I pass everything but targa3 (a DoS exploit) so typically test it separately. However, I can back out and close IE normally. The connection to their IP stayed alive after leaving. Rescanned – no hidden streams. I’ll assume I was wrong when I thought the connection was clear leaving their site last time (but have doubts). With that port and connection being open for so long, the hidden streams could have been injected anytime (if not by the exploit itself). I hold that site in high regard and don't intend needless concern. But it does illustrate a useful precaution if your system hangs on a failed exploit test and importance of netstat in that regard. Unless killing the connection via netstat, a reboot in that situation is called for and a follow-up system check seems prudent - emphasis on “failed” tests here.
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks for the update, Rickster ;)

    regards.

    paul
     
  11. Raygun

    Raygun Registered Member

    Joined:
    Apr 24, 2002
    Posts:
    31
    Location:
    The Beach!
    Here are a few test sites. I find PC Flank to focus on stealth too much. For your info. if you are not stealthed PC Flank will lead you to believe your firewall is not working. That's NOT the case, if you are closed you should be fine. anyway that said, here are those sites.......

    Anti-Trojan Port Scan, http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck
    Blackcode Port Scan, http://www.blackcode.com/scan/
    DSLReports Security Scan, http://www.dslreports.com/scan
    HackerWatch Port Scan, http://probe.hackerwatch.org/probe/probe.asp
    Ken Kalish Port Tester, http://www.mycgiserver.com/~kalish/
    (you will need to copy and paste this one as this forum ^doesn't like that ~)
    PC Flank, http://www.pcflank.com/test.htm
    Sygate Security Scan, http://scan.sygatetech.com/prequickscan.html
    SecurityMetrics Port Scan, http://www.securitymetrics.com/portscan.adp
    Shields-UP, http://grc.com/x/ne.dll?bh0bkyd2
    Symantec Security Check, http://security2.norton.com/ssc/home.asp
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Raygun,

    I couldn't agree more. In fact, personally I prefer "blocked" to "stealth" - which is a far overrated issue.

    Nice List; thanks on behalf of our members and visitors! ;)

    regards.

    paul
     
  13. Time Out

    Time Out Guest

    You might want to do a google search on that email addy..it may ring a bell. Chances of picking that up at PCflanko_O or the three websites he has....o_O :)





    Ask an Entertainment Lawyer
    ... He'll answer your questions right here. You can e-mail your entertainment
    law related questions to Harris Tulchin at EntEsquire@aol.com. ...
    www.medialawyer.com/ask.htm - 3k - Cached - Similar pages
     
  14. Rickster

    Rickster Guest

    Hey Time Out… Good call. I happened to have exchanged an e-mail with Bob recently and he has web sites I see. Got a spam from Verisign recently and a scan just found a mailto stream for them too. What’s going on? I’m used to seeing a few streams associated with my Spystopper software but that's all. I started to do an e-mail to VisualWare clicking their link – but decided not to – so closed it, then, along with Verisign, is a hidden mailto stream for VisualWare also. This never ocurred in the past and has me perplexed. But then, I never received or attempted to contact those sources before either. I know I loath the idea of “mailto” anything – especially anything hidden. Is this something benign, or cause for concern? Better question – how are these hidden streams being generated and why? I need some EDUMACATION. Thanks again folks.
     
  15. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I just got spammed by Verisign too. I own several domain names with them (via network solutions) but they didn't say which one they were refering to when they asked me to verify my account information. I thought it was odd. The links they provided were links to some data gathering site.
     
  16. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Rickster, I'm not aware of any firewalls that have a problem with targa3. I wonder if you have investigated this and understand why?
    Failing a dos exploit could be an indication of other weaknesses in your system.
    I think there are people here that would be able to help with this.
    I would not be alarmed at such a result, but would be curious.
     
  17. Rickster

    Rickster Guest

    Thanks. If the system just hangs with no other ill effects, I can't even guess. I use ZA and other top line security programs and it passes both paid audits and other tests. It's likely these security programs just lock it up on that one. The system is so tight, I'm amazed it's as stable as it is. There's a host of DoS exploits it breezes through but that particular one is just my little enigma. But your point is well taken. Any theories that confirm or preclude a symptomatic response by my security software is always welcome. I might add that on top of all this, I keep my downloads setting in IE 6.0 disabled - until I'm certain I want something from a trusted source.
     
Loading...
Thread Status:
Not open for further replies.