Suspicious After Test Site

I hadn’t used PCFlank in a while and ran the gambit. One (targa3) made my program turn unresponsive – easily got out and that was that. Later a netstat showed I was connected to their IP (not the case after I left - always netstat after surfing). Killed that socket, ran AV scan – nothing. Ran a full TDS3 scan and turned up two new hidden ADS “mailto” streams – one tracing to a series of AOL mail relays and other to an office near Hong Kong. Killed these - rescanned, good – rebooted & rescanned, good.

Picked up a spy there. Can preclude other sources since it That visist was right after I updated and fully checked the system, it was clean. The magical connection to their IP and finding these hidden streams is suspicious. Got to respect the power of TDS. Wouldn’t have found the little snoops without it. Is it possible someone found a way to use their site as vehicle? Or likely a remnant in one of the exploits used for testing? Either way, it didn't fool TDS3.

 

Hi. Specifically the exploits test. There's a list to test some or all. Always did get a system hang on targa3 - nothing new there. Ran every test however, so can't say what part of the site, or one of the exploits would be a culprit. Be curious if you can duplicate it. The hidden streams were found in:

c:\(Renamed TDS)\mailto:entesquire@AOL.com

That was a series of STMP mail relays, the other I failed to write down - but will next time.

This wouldn't explain why the connection to their IP cropped up though. At a loss to know, having found nothing other than those streams Could have been some kind of fluke - but it got my attention. Thanks

 

Appreciate your checking. Might follow-up later though, bear in mind I was clear after the visit too until some six hours later - and hadn't connected to the net in the interim. Might check for NTSF alernate data steams too. Thanks again.

 

For less knowledgeable people, as you seem to know all test sites, is it possible to mention an URL so people can try to do some testing on their own systems too? thanks a lot in advance!

 

Couldn’t duplicate it. I pass everything but targa3 (a DoS exploit) so typically test it separately. However, I can back out and close IE normally. The connection to their IP stayed alive after leaving. Rescanned – no hidden streams. I’ll assume I was wrong when I thought the connection was clear leaving their site last time (but have doubts). With that port and connection being open for so long, the hidden streams could have been injected anytime (if not by the exploit itself). I hold that site in high regard and don't intend needless concern. But it does illustrate a useful precaution if your system hangs on a failed exploit test and importance of netstat in that regard. Unless killing the connection via netstat, a reboot in that situation is called for and a follow-up system check seems prudent - emphasis on “failed” tests here.

 

Here are a few test sites. I find PC Flank to focus on stealth too much. For your info. if you are not stealthed PC Flank will lead you to believe your firewall is not working. That's NOT the case, if you are closed you should be fine. anyway that said, here are those sites.......

Anti-Trojan Port Scan, http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck
Blackcode Port Scan, http://www.blackcode.com/scan/
DSLReports Security Scan, http://www.dslreports.com/scan
HackerWatch Port Scan, http://probe.hackerwatch.org/probe/probe.asp
Ken Kalish Port Tester, http://www.mycgiserver.com/~kalish/
(you will need to copy and paste this one as this forum ^doesn't like that ~)
PC Flank, http://www.pcflank.com/test.htm
Sygate Security Scan, http://scan.sygatetech.com/prequickscan.html
SecurityMetrics Port Scan, http://www.securitymetrics.com/portscan.adp
Shields-UP, http://grc.com/x/ne.dll?bh0bkyd2
Symantec Security Check, http://security2.norton.com/ssc/home.asp

 

You might want to do a google search on that email addy..it may ring a bell. Chances of picking that up at PCflank or the three websites he has....





Ask an Entertainment Lawyer
... He'll answer your questions right here. You can e-mail your entertainment
law related questions to Harris Tulchin at EntEsquire@aol.com. ...
www.medialawyer.com/ask.htm - 3k - Cached - Similar pages

 

Hey Time Out… Good call. I happened to have exchanged an e-mail with Bob recently and he has web sites I see. Got a spam from Verisign recently and a scan just found a mailto stream for them too. What’s going on? I’m used to seeing a few streams associated with my Spystopper software but that's all. I started to do an e-mail to VisualWare clicking their link – but decided not to – so closed it, then, along with Verisign, is a hidden mailto stream for VisualWare also. This never ocurred in the past and has me perplexed. But then, I never received or attempted to contact those sources before either. I know I loath the idea of “mailto” anything – especially anything hidden. Is this something benign, or cause for concern? Better question – how are these hidden streams being generated and why? I need some EDUMACATION. Thanks again folks.

 

I just got spammed by Verisign too. I own several domain names with them (via network solutions) but they didn't say which one they were refering to when they asked me to verify my account information. I thought it was odd. The links they provided were links to some data gathering site.

 

Rickster, I'm not aware of any firewalls that have a problem with targa3. I wonder if you have investigated this and understand why?
Failing a dos exploit could be an indication of other weaknesses in your system.
I think there are people here that would be able to help with this.
I would not be alarmed at such a result, but would be curious.

 

Thanks. If the system just hangs with no other ill effects, I can't even guess. I use ZA and other top line security programs and it passes both paid audits and other tests. It's likely these security programs just lock it up on that one. The system is so tight, I'm amazed it's as stable as it is. There's a host of DoS exploits it breezes through but that particular one is just my little enigma. But your point is well taken. Any theories that confirm or preclude a symptomatic response by my security software is always welcome. I might add that on top of all this, I keep my downloads setting in IE 6.0 disabled - until I'm certain I want something from a trusted source.