Database Update Problem

Discussion in 'Trojan Defence Suite' started by Steve Barnes, Sep 25, 2003.

Thread Status:
Not open for further replies.
  1. Steve Barnes

    Steve Barnes Guest

    I am having some trouble updating the database.

    Browsing to http://tds.diamondcs.com.au/radius.td3 gives me the new database in a matter of seconds, and the new download is verified by the date in the log if I then scan.

    Starting Update, using either the TDS menu or Ctrl+U, results in it looping through a check of the servers in the update.cfg file (I think), spending about 40secs on each then stopping at Server #9 without having downloaded anything.

    If I view the status window in my software firewall (Kerio PF), update shows up as an application, contacting various servers whose names don't correspond to those in update.cfg (not sure if that is significant or not), but not showing any amount of data as having been received. The date in the log for the database also does not change.

    I have downloaded the latest update.cfg. The main change was to alter the order in which IP addresses were contacted (as shown in the KPF status window) with some new addresses. Some of the regular entries here, as listed by KPF, are:
    • www.dcsresearch.com
    • hercules.dewahost.com
    • olympus.dnshotel.com
    plus some IP addresses. These names do not correspond to those in update.cfg.

    Any thoughts would be welcome. I am running W98SE through a Netgear FR114P DSL hardware firewall.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Steven, welcome!
    Not sure if you're a registered TDS user?
    If not, you can update via the TDS site, as only licensed operators can use the update facility in the TDS menu and/or receive automated updates.
    So if that could be the problem? Than make sure your copy is registered asap and you should no longer have those problems!

    Also if registered make sure you occasionally get the new update.cfg from the site and put it in your TDS directory.
    It is changed every few hours to spread the update traffic over the mirrors, there should be some 7 at this moment.
     
  3. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    Paid my $, got my registration files... so all should be OK there.

    Downloaded the update.cfg file (on several occasions) to ensure I had the latest version.

    The problem exists prior to, and after having downloaded update.cfg, ie it seems to be independent of the version of this file I am using.

    With further testing, I have noticed that an IP address will briefly appear in the KPF status window prior to the domain names mentioned above appearing there, ie the strange names. The IP addresses aren't on the screen long enough to read.

    Could there be some issue with the way the update.cfg names are being resolved?
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Not likely :) everything should be fine

    When you replace your update.cfg , you should have no problems, TDS will use the new list and currently all servers are up and working
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you put the keyfile properly in the TDS directory, following the instructions from the registration email?
    After that (re)load TDS; think in the meantime you'll have rebooted since all that too.
    After getting the new update.cfg also (re)load TDS so the new file is used.
     
  6. spydespiser

    spydespiser Registered Member

    Joined:
    Sep 21, 2003
    Posts:
    162
    Location:
    Gtr M/C UK
    Hi steve.
    This i think is a host file redirection, i had it on my comp. last week and was told to drop it.might be worth your while doing an Hjt log and posting it in the appropriate forum and have the guys take a look at it. you can get the latest version 1.97(i think) at
    http://www.tomcoyote.org/hjt/ do a scan and save log and post it accordingly but Do Not fix anything yet

    The other two i dont know anything about:)
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    203.161.127.141 www.dcsresearch.com
    Add this redirection in your HOSTS file for the F5 button to bring you to the DCS forums.
    But this is absolutely apart from the updates.
    The $www... you post i don't know about; which were your other two(?) items and is the posting readable to look at it?
    Did you have update problems from the first start or after fixes?
     
  8. spydespiser

    spydespiser Registered Member

    Joined:
    Sep 21, 2003
    Posts:
    162
    Location:
    Gtr M/C UK
    Hi Jooske

    So how would i insert that back into my start up?

    after connecting last week i was experiencing a couple of problems and did a hjt log at spywareinfo before finding you guys and was
    told to remove "it" along with 2 BHO's and a web-entrance.com

    I now assume it was installed as part of the TDS-3 demo i am currently evaluating

    i have not been able to do a manual upgrade as of yet as you mention to somebody in another thread, would that put it back? :)

    Thanx in advance :)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi spydespiser,

    Find this file: c:\windows\system32\drivers\etc\hosts
    rightclick it and choose Open with, then choose notepad and insert the line:
    203.161.127.141 www.dcsresearch.com
    below the header which normally ends like this:

    127.0.0.1 localhost

    Regards,

    Pieter
     
  10. spydespiser

    spydespiser Registered Member

    Joined:
    Sep 21, 2003
    Posts:
    162
    Location:
    Gtr M/C UK
    Hi Pieter :)

    Thanx for your time,

    have done as instructed and run anther hjt just to be sure and it's back where it was

    Can't understand why told to remove in first place, it was threads/topics on their forum that led me to TDS demo and Wilders in first place :mad:

    Many Thanx
    SpyD :) :cool: :)
     
  11. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    Keyfile is in the correct directory, ie with tds-3.exe and update.cfg.... I have been using TDS-3 for several months without any problems, except for the database update, so I browse to the site and download manually.

    HOSTS file already has the entry 203.161.127.141 www.dcsresearch.com

    Tried with autoupdate set and this started update automatically, but it then went through the process described above, with delays of about 40 sec per server and no download.

    Downloaded the current update.cfg, replacing the existing version, and immediately hit Ctrl+U with same result - cycled through all servers without downloading.

    Reloaded TDS many times to confirm database had not been updated.

    Any further thoughts? o_O
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Definately is a database problem:

    6:54:24 [Radius] • Systems Initialised [22554 references - 3811 primaries/8051 traces/10692 variants/other]
    16:54:24 [Radius] Radius Systems loaded. <Databases updated 26-09-2003>

    This was downloaded from DCS? The auto update also showed the same figures & that is why I downloaded manually.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Depends on the mirror, i had it yesterday, the update telling each time it was uptodate while on top of the DCS forum it said a newer quantity, i changed the order of the mirrors in the update.cfg and updated again, which was ok, and warned DCS.

    If you have this problem with the Registered TDS version -- no new d/l for TDS would be necessary as the current version is there several weeks now-- you might like to have DCS check your keyfile if that was not damaged somehow.

    Certainly if it worked ok till recently. If it never has worked properly there can most certainly something wrong somewhere.
    Is all the rest working ok, could you properly install the exec protection or did that give problems too?


    For the HOSTS file entry: not everybody might be aware this one is added with the current TDS install to make sure pressing F5 or the menu option for Forum will bring you to the DCS forum and not to the domain name DCS no longer owns. So please keep that entry in your HOSTS file (not to confuse with the Hosts.sam file which is a sample!)
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re-downloaded from DCS, and this time it worked OK, So I am not sure now if it was just the DL to my PC that was corrupted, having had so much trouble with my ISP recently it would not surprise me!

    22:23:12 [Init] • Systems Initialised [28392 references - 9649 primaries/8051 traces/10692 variants/other]
    22:23:12 [Init] Radius Systems loaded. <Databases updated 26-09-2003>

    EDIT: Just looked up my ISP's private NG, there was a problem reported with their Tansparent proxy servers that has been resolved. :)
     
  15. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    The current database is shown below. I manually downloaded this version due to this update problem. Since installing several months ago, I've always done a manual download from the DCS site, ie the update problem has been with me since the beginning.

    10:30:13 [Init] Trojan Defence Suite v3.2.0 - Registered to Steve Barnes
    10:30:13 [Init] Started 27-09-03 10:30:13 AUS Eastern Standard Time (UTC: -10), Internet Time @62.65
    10:30:13 [Init] Loading TDS-3 Systems ...
    10:30:13 [Init] Token successfully adjusted.
    10:30:13 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    10:30:13 [Init] • Plugins : OK. Loaded 13
    10:30:13 [Init] • Exec Protection : OK. Installed
    10:30:13 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    10:30:18 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    10:30:18 [Init] • Systems Initialised [28331 references - 9617 primaries/8038 traces/10676 variants/other]
    10:30:18 [Init] Radius Systems loaded. <Databases updated 23-09-2003>

    How can I tell if I have a keyfile problem? The rest of TDS seems to work fine.

    Exec protection also seems to be OK. I removed and re-installed prior to producing the log output above and the process seemed to work.

    Below is a table of addresses obtained when I run update.

    The left column is the set of IP addresses displayed in Kerio PF status window. The second column is the list of site addresses from update.cfg, in the same order, and the third column is obtained by looking up the name from the update.cfg file. Cols 1 & 3 correspond so this looks good except for the ftp site which just seemed to get skipped during update.

    I assume port 80 is OK here?

    148.225.83.37:80 fractus.mat.uson.mx --> 148.225.83.37
    193.64.174.119:80 radius.turvamies.com --> 193.64.174.119
    213.84.177.136:80 www.zeylstra.nl --> 213.84.177.136
    212.162.14.120:80 www.toonbox.de --> 212.162.14.120
    63.251.216.73:80 www.rootgap.com --> 63.251.216.73
    66.227.6.177:80 www.attechnical.com --> 66.227.6.177
    --- did not show --- ftp.pc-techie.info --> 82.35.136.97
    203.161.127.141:80 tds.diamondcs.com.au --> 203.161.127.141
    209.50.252.101:80 diamondcs.fileburst.com --> 209.50.252.101

    Could there be a problem with interfacing to the hardware firewall?
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You do grant the update.exe outside connections i may hope to be able to update?
    If the keyfile is not ok, you would not be able to use the update, so it is most probably ok, but you can send a copy to support@diamondcs.com.au to test it for you. It could always have been your email program changing it somewhat, although i doubt.
    Something is wrong, can be anything, a download help program (you should not use for this update!) , proxy, firewall, anything.
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Steve, I use a Linsys router which includes a NAT firewall, no special forwarding etc. should be required.
    What I have noticed in the past is that if I have my Software firewall (Sygate Pro 5) set to "ask" for update.exe to work then sometimes, maybe due to the delay when asked to "allow" the radius file will get corrupted. I have no definitive evidence that this is the case but since I now "allow" update the problem is much reduced.

    If your ISP uses transparent proxy servers these can cause a problem as they may have an out of date radius file in their cache, this can sometimes be corrected, when downloading manually from the DCS site by pressing Ctrl + F5 which should force a cache update.

    HTH Pilli
     
  18. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    Ensured Kerio is setup to handle incoming and outgoung messages for update.exe, and that it would do this for any protocol, although update appears to just use TCP. No change to the problem. :'(

    The Kerio status window shows the state going from Listening to Connecting, but never to Connected Out for addresses in update.cfg. (State is the state of the local end-node: Listening — waiting for incoming connection, Connected Out — connection established by a local application to a remote server).

    The time when the connection is established or when an application starts receiving connection on a given port remains at 0, also suggesting the connection has not been made. :doubt:

    Turned Kerio off to check it's effect, but no change to the problem. :oops:

    Logged all incoming and outgoing messages in the hardware firewall. Log below is for a run of update.exe. The IP address for each entry in update.cfg is listed in the right order, except for the ftp.pc-techie.info site (82.35.136.97) which was skipped.

    Sun, 2003-09-28 09:27:43 - UDP packet forwarded - Source:192.168.0.2
    ,1794 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:27:43 - TCP packet forwarded - Source:192.168.0.2
    ,1793 LAN - Destination:148.225.83.37,80[HTTP] WAN - [Outbound Default rule match]

    Sun, 2003-09-28 09:28:28 - UDP packet forwarded - Source:192.168.0.2
    ,1796 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:28:28 - TCP packet forwarded - Source:192.168.0.2
    ,1795 LAN - Destination:193.64.174.119,80[HTTP] WAN - [Outbound Default rule match]

    Sun, 2003-09-28 09:29:13 - UDP packet forwarded - Source:192.168.0.2
    ,1798 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:29:13 - TCP packet forwarded - Source:192.168.0.2
    ,1797 LAN - Destination:213.84.177.136,80[HTTP] WAN - [Outbound Default rule match]

    Sun, 2003-09-28 09:29:58 - UDP packet forwarded - Source:192.168.0.2
    ,1800 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:29:58 - TCP packet forwarded - Source:192.168.0.2
    ,1799 LAN - Destination:212.162.14.120,80[HTTP] WAN - [Outbound Default rule match]

    Sun, 2003-09-28 09:30:43 - UDP packet forwarded - Source:192.168.0.2
    ,1802 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:30:43 - TCP packet forwarded - Source:192.168.0.2
    ,1801 LAN - Destination:63.251.216.73,80[HTTP] WAN - [Outbound Default rule match]

    Sun, 2003-09-28 09:31:28 - UDP packet forwarded - Source:192.168.0.2
    ,1804 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:31:28 - TCP packet forwarded - Source:192.168.0.2
    ,1803 LAN - Destination:66.227.6.177,80[HTTP] WAN - [Outbound Default rule match]

    Sun, 2003-09-28 09:32:13 - UDP packet forwarded - Source:192.168.0.2
    ,1806 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:32:13 - TCP packet forwarded - Source:192.168.0.2
    ,1805 LAN - Destination:203.161.127.141,80[HTTP] WAN - [Outbound Default rule match]

    Sun, 2003-09-28 09:32:58 - UDP packet forwarded - Source:192.168.0.2
    ,1808 LAN - Destination:203.10.76.34,53[DNS] WAN - [Outbound Default rule match]
    Sun, 2003-09-28 09:32:58 - TCP packet forwarded - Source:192.168.0.2
    ,1807 LAN - Destination:209.50.252.101,80[HTTP] WAN - [Outbound Default rule match]

    This is the full set of entries from the log for a run of update.exe. No responses are being returned from the packets sent out. o_O

    What is peculiar about the packets that update.exe transmits that would prevent a response?

    Could this be an ISP problem? If so, what sort of problem could it be, ie what do I need to ask them about?
     
  19. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    I agree with Steve, I find it far easier to just do a manual download, using th e"save target as" method
     
  20. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    Seems I have a fix. :)

    TDS was picking up a registry entry for SobigC. Although I deleted the entry (according to TDS) the entry would reappear. The AV wasn't indicating any problem, so I just kept deleting.

    Finally decided to run a Sobigc removal program (which actually found and removed it), the registry entry warning disappeared from TDS3, update (ctrl+u) started working and has worked fine ever since. :D

    Steve
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you mean Sobig.C was active and blocked your TDs updating process?
     
  22. barnesy

    barnesy Registered Member

    Joined:
    Sep 25, 2003
    Posts:
    15
    I assume Sobig.C was re-setting the registry key each time I deleted it in TDS-3, causing it to re-appear during the next TDS checks only to be re-deleted by me. Certainly during this time update would not work, hence all the stuff above in this thread.

    I don't know the inner workings of TDS or Sobig well enough to say whether it was blocking the update process or not. However, as soon as I removed it and without making other changes, I tried update and it worked without any problems.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Process Gueard could be your marvelous friend here, preventing anything from blocking your updates!
    It's the first time i heard about the update being blocked, even the manual update.
    Glad you solved it though and i hope with not too much damage to your system!
    So now we learned something new too!
     
Thread Status:
Not open for further replies.