backdoor-g-1, coauther, ingreslock+++++

Discussion in 'malware problems & news' started by rob c, Jan 10, 2005.

Thread Status:
Not open for further replies.
  1. rob c

    rob c Registered Member

    Joined:
    Jan 10, 2005
    Posts:
    3
    Location:
    california
    the only reason i havn't done a ghost or even a clean format and install
    is so i can learn
    this is a perfect opportunity for intensive resarch
    being that i could care less if some one is listining
    or monitoring

    so far there's been no decrease in performance

    after looking at norton logs due to a dos attack alert

    Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against MASTER(24.54.230.136) was detected and blocked
    Intruder: MASTER(24.54.230.136)(1530)
    Risk Level: Low
    Protocol: TCP
    Attacked IP: MASTER(24.54.230.136)
    Attacked Port: ms-sql-s(1433)
    1/6/05 4:26:55

    (i still dont know if the above is even related)



    (this is my machine attacking my machine
    so i see no reason to look for an intruder)o_O??

    it would be something i downloaded righto_Oo_O?


    here is a section of my connection logs

    Connection: MASTER(24.54.230.136): 1599 to MASTER(24.54.230.136): 1530, 544 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1530 from MASTER(24.54.230.136): 1599, 544 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1530 from MASTER(24.54.230.136): 1598, 544 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1598 to MASTER(24.54.230.136): 1530, 544 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1530 from MASTER(24.54.230.136): 1597, 544 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1597 to MASTER(24.54.230.136): 1530, 544 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1530 from MASTER(24.54.230.136): 1593, 590 bytes sent, 812 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1596 to MASTER(24.54.230.136): 1502, 0 bytes sent, 843 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1593 to MASTER(24.54.230.136): 1530, 812 bytes sent, 590 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1502 from MASTER(24.54.230.136): 1596, 843 bytes sent, 0 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1595 to MASTER(24.54.230.136): 1502, 0 bytes sent, 819 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1502 from MASTER(24.54.230.136): 1595, 819 bytes sent, 0 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1594 to MASTER(24.54.230.136): 1502, 0 bytes sent, 819 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1502 from MASTER(24.54.230.136): 1594, 819 bytes sent, 0 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1530 from MASTER(24.54.230.136): 1592, 548 bytes sent, 0 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1592 to MASTER(24.54.230.136): 1530, 0 bytes sent, 548 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1591 to MASTER(24.54.230.136): 1530, 0 bytes sent, 548 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1530 from MASTER(24.54.230.136): 1591, 548 bytes sent, 0 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1530 from MASTER(24.54.230.136): 1590, 1312 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1590 to MASTER(24.54.230.136): 1530, 544 bytes sent, 1312 bytes received, 0.000 elapsed time
    Connection: mail.adelphia.net(68.168.78.100): pop3(110) from MASTER(24.54.230.136): 1587, 41 bytes sent, 152 bytes received, 0.968 elapsed time
    Connection: localhost: 1586 to localhost: 1028, 152 bytes sent, 163 bytes received, 0.953 elapsed time
    Redirected Connection: localhost: 1028 from localhost: 1586, 41 bytes sent, 152 bytes received, 0.953 elapsed time



    every so often i get the port name next to my ip

    Connection: MASTER(24.54.230.136): 1502 from MASTER(24.54.230.136): 2054, 544 bytes sent, 0 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): knetd(2053) to MASTER(24.54.230.136): 1502, 0 bytes sent, 544 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 1502 from MASTER(24.54.230.136): knetd(2053), 544 bytes sent, 0 bytes received, 0.000 elapsed time
    Connection: MASTER(24.54.230.136): 2052 to MASTER(24.54.230.136): 1530, 0 bytes sent, 544 bytes received, 0.000 elapsed time


    heres some more
    12TP(1701)
    pptp(1723)
    msnp(1863)
    ingreslock
    netshow(1755)
    remote-winsock(1745)
    radacct(1813)
    radius(1812)
    ssdp(1900)
    nfsd(2049)
    AND TO MANY TO LIST
    norton finds nothing even after i did a full scan

    i understand these are not all virusis but
    i've never seen these ports used

    the one that clued me in backdoor-g-1 a duh!
    i looked it up and it's the sub 7 from the old days with
    a twist
    you think maybe some one could shed a little light on this
    this is my first post but some of u know me as steyr223 from other
    forms

    thanks
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Rob C, welcome to Wilders. From what i have just read following the comprehensive steps found in General Cleaning should get your system clean.

    If these steps do not resolve your situation, you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    The steps mentioned in General Cleaning use software that ought to be part of your security, as an absolute minimum. Once your system is clean, please don’t hesitate to ask further about using these and other security software to protect your computer.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  3. rob c

    rob c Registered Member

    Joined:
    Jan 10, 2005
    Posts:
    3
    Location:
    california
    Thanx blackspear
    did the cleaning and it all appeared to be virus free
    it wasn't

    lightwave8 hub.exe connect every time the app is run
    this is whats filling my norton logs up

    after looking at my logs and reading, i started to wonder if i had the viruses
    or the perpatrator just randomly scanning for backdoors
    or the name is just related to the port even without the virus

    to the point
    i did a scan of someone who scanned me prior
    but this time i used a static port the one for backdoor g

    could u please expain this who's coming & going, who's
    virused and well................



    Connection:209.131.7.162: domain(53) from MASTER(24.54.230.136): 4759
    Connection:209.131.7.162: https(443) from MASTER(24.54.230.136): 4758
    Connection:209.131.7.162: 3372 from MASTER(24.54.230.136): 4757
    Connection:209.131.7.162: 1029 from MASTER(24.54.230.136): 4756
    Connection:209.131.7.162: ircu-1(6666) from MASTER(24.54.230.136): 4755
    Connection:209.131.7.162: netshow(1755) from MASTER(24.54.230.136): 4753
    Connection:209.131.7.162: echo(7) from MASTER(24.54.230.136): 4750
    Connection:209.131.7.162: discard(9) from MASTER(24.54.230.136): 4749
    Connection:209.131.7.162: 1025 from MASTER(24.54.230.136): 4747
    Connection:209.131.7.162: printer(515) from MASTER(24.54.230.136): 4746
    Connection:209.131.7.162: chargen(19) from MASTER(24.54.230.136): 4752
    Redirected Connection: localhost: 1027 from localhost: 47511.375
    Connection: localhost: 4751 to localhost: 1027 210 bytes received 1.375
    Redirected Connection: localhost: 1025 from localhost: 47441.250
    Connection: localhost: 4744 to localhost: 1025 188 bytes received 1.250

    Connection:209.131.7.162: ftp(21) from MASTER(24.54.230.136): 4761
    Connection:209.131.7.162: daytime(13) from MASTER(24.54.230.136): 4754
    Connection:209.131.7.162: ircu-1(6666) from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: 2003 from MASTER(24.54.230.136): 4748
    Connection:209.131.7.162: https(443) from MASTER(24.54.230.136): 4743
    Connection:209.131.7.162: https(443) from MASTER(24.54.230.136): 4742
    Connection:209.131.7.162: https(443) from MASTER(24.54.230.136): 4741
    Connection:209.131.7.162: ftp(21) rom MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: 1028 from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: domain(53) from MASTER(24.54.230.136): Backdoor-g-1(124
    Connection:209.131.7.162: https(443) from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162 : 3372 from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: 1029 from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: daytime(13) from MASTER(24.54.230.136): Backdoor-g-1(1243)

    Connection: localhost: Backdoor-g-1(1243) to localhost: 1027 210 bytes received 1.671
    Redirected Connection: localhost: 1027 from localhost: Backdoor-g-1(1243)1.671
    Connection: localhost: Backdoor-g-1(1243) to localhost: 1025 188 bytes received 1.312
    Redirected Connection: localhost: 1025 from localhost: Backdoor-g-1(1243)1.312

    Connection:209.131.7.162: chargen(19) from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: echo(7) from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: discard(9) from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: 2003 from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: printer(515) from MASTER(24.54.230.136): Backdoor-g-1(1243)
    Connection:209.131.7.162: 1025 from MASTER(24.54.230.136): Backdoor-g-1(1243)



    209.131.... the guy i scanned
    master is my master computer
    1 more q: i made it use a static port 1243 and portscanned between
    1024 to about 2000 so why all the otherones

    i use superscan
    thanks very much for your patients

    *****@adelphia.net
     
    Last edited by a moderator: Jan 18, 2005
  4. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, it looks as though some one has their hooks in your system, an actual ligitamate hacker/s.

    Most probably originated form a trojan downloader, where more things are installed, including IRC or similar backdoors.

    I would recommed Process Gaurd and Port Explorer from DimondCS

    They should give you the location of the files on your PC and a good idea of what is going on.

    The hacker ID feature in ZoneAlarm Pro is handy, you can report them to their ISP, an it has a world mapping feature which is kinda neat. There is an illegal plugin for this that allows return of threat, an some other nasty stuff which has been used by the undesirables.

    Hope this helps you fix the problem.
     
  5. rob c

    rob c Registered Member

    Joined:
    Jan 10, 2005
    Posts:
    3
    Location:
    california
    Thanks for the reply Sweetie
    you say real hacker's and i dfefinitly
    agree since my system has been up and running better than ever
    no malice at all.
    Infact havnt lost any data in 6 months
    (I live in alt.binaries.cd.image )download ,unrar,crack if not,burn,
    install,test,backup, and finally uninstall(over 224 gigs last month alone)
    so you can maybe understand my joy scince most common users go through about 40 to 60 installations and uninstalls(the true killer ...where...o.. just delete it) before they completely fry there system

    now this only happens when i am connected to the lightwave hub (when i run the program lightwave ,it autoconnects me.

    when I disconnect all ny logs go back to
    kinnda a helper thing, but i dont need to connect just to run the app

    anyways thanks for the tip on zone alarm
    i have a list of resolved ip's with thousands of open ports
    that did more than just scanning

    have you ever tryed to report abuse
    good luck takes about a week and over 35 different forms
    what a joke

    thanks everyone steyr223 @adelphia.net
     
Loading...
Thread Status:
Not open for further replies.