Do You Know This One ?

Discussion in 'malware problems & news' started by Snowie, Jan 2, 2006.

Thread Status:
Not open for further replies.
  1. Snowie

    Snowie Guest

    At this very moment my firewall is being hammered by an outbound trojan that has eluded all attempts to locate it..........it may be contained in a program an calling home.................its "home" is:


    planetlab13.Millennium.Berkeley.EDU

    (ip address left out)


    if anyone has seen this before please advise.........am about ready to do a reformat to get rid of this thing..............an you could save me that.

    thank you


    snowie
     
  2. Snowie

    Snowie Guest

    Not sure this could be considered an answer but its certainly something everyone NEEDS to read...........sure was new to me:


    http://169.229.50.15



    **** This machine is a node in the PlanetLab distributed network.

    If you are visiting this website because you are receiving unwanted or unrequested traffic from this or any other PlanetLab node, please use the Search Form to identify the researchers responsible for the traffic, and report your complaint to them. The PlanetLab Support team (support@planet-lab.org) is copied on all complaints, and will ensure that your concerns are addressed in a timely manner.

    PlanetLab is a global research network that supports the development of new network services. Since the beginning of 2003, more than 1,000 researchers at top academic institutions and industrial research labs have used PlanetLab to develop new technologies for distributed storage, network mapping, peer-to-peer systems, distributed hash tables, and query processing.

    If you have received UDP traceroute packets from a number of PlanetLab nodes, you or another user on your network may have recently accessed a website cached by the Coral project, which runs on PlanetLab. Many websites, including Slashdot, regularly post "Coralized" links to popular content. Coral actively probes its clients using a fast traceroute-like tool, to determine the nearest proxy for its clients to use. If you do not want to receive such probes, discontinue accessing URLs that end in .nyud.net:8090. *****
     
  3. FanJ

    FanJ Guest

    Hi Snowman,

    I have to admit that I am not sure (far from it !).

    But somehow it made me think about one of the download sites for SpywareBlaster.
    Have a look at this page:
    http://www.javacoolsoftware.com/sbdownload.html
    You will see there three download locations.
    The third one is a download possibility through the Coral Distribution Network.
    Looking at the properties of that URL, I see indeed that .nyud.net:8090. in it.

    I don't know whether those things are related, sorry.
    But I completely trust Javacool !!! :D
    Maybe Javacool could tell a bit more ;)

    Cheers, Jan.


    Edited to add :

    Did you download recently the new SpywareBlaster from that third link?

    As I wrote: I'm not sure whether it is related to what you were seeing...
     
    Last edited by a moderator: Jan 2, 2006
  4. controler

    controler Guest

    Wow searching Coral Project in Google gives alot of info on these guys.

    They appear to have huge penetration

    http://www.coralcdn.org/

    con
     
  5. Snowie

    Snowie Guest

    Dear Friend Jan


    You are absolutely, completely, and totally CORRECT!!!! "SHO nuff" I had just download spywareblaster........an the link ".nyud.net:8090. " does belong to one of the download sites. Jan, that was extra alert of you to have noticed that.....thanks bunches.......cause I sure would never have connected the two........

    oh I can trust Javacool without any problem....although I was disturbed by the scanning from that machine.......an yet, that to is normal behavior....so is no problem........I guess it hurt my ego..thought a trojan had entered the OS....an that has never happened before......an my swell-headed confidence just went out of the window...LOL (guess I needed a lesson in humility) even if it was a false alarm.

    *********************************



    controler

    yes, you are also correct....thats a big network.....an kinda wondering who is backing it financially.........?

    The entire network is now blocked on this machine.....
     
  6. Snowie

    Snowie Guest

    Forgot to mention.........the firewall was being hit "FROM THE INSIDE" by OUTBOUND attempts........this is odd behavior.......at the moment I have no solid answer...but can guess that "something" had been download to the temp folder.....or perhaps a "session cookie"....these are being widely used these days.......


    guess this can be a good example for the need for a decent firewall with a good rule set..........but now I need to look deeper......an located the inner source of those OUTBOUND connection attempts.......an blocked it from happening again.........oh boy..an the beat goes on! By the way...the OUTBOUND connection attempts stopped the moment I did a "cleaning" of temp and cache
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hi, guys! I'll keep an eye on Port Explorer for awhile (logs and such) to see if I'm seeing anything similar here. (I just got the latest version of SWB, too). Pete
     
  8. Snowie

    Snowie Guest

    Pete

    as a pre-caution I installed a clean backup made on 12/25/05.....that Outbound attempt hit the firewall 136 times.......thats a bunch!!

    This coming weekend I will try to duplicate the behavior.....have never had this sort of thing happen prior to this an I don't like it. The Server may be a Saint....but how did it download "something" that attempted Outbound connectionso_O??

    Most exploits are of no concern to me but this one caught my attention an it needs blocking....in a BIG WAY!!

    Thanks for monitoring.........hope nothing shows.

    Snowie
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    NP - Can you give me the exact IP it was trying to connect to? (I'll be able to track the Process ID that way if there's one connected to it in PE). Pete
     
  10. FanJ

    FanJ Guest

  11. Snowie

    Snowie Guest

    Thanks Jan, I just posted a comment there.




    ****************************************************


    Pete


    The IP was : <169.229.50.15> OUTBOUND attempts to


    <planetlab13. millennium.berkly.edu>

    <169.228.0.0> - <169.237.225.225>

    ***************

    U of C @ berkly

    <169.229.0.0> - <169.229.255.255>
     
  12. controler

    controler Guest

    s
    Hi snowy

    are you useing a P2P client? They seem to be big into that sort of thing.

    con
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Since I turned PE on, there haven't been any calls to or from any IP address beginning with "169."

    I'll keep watching, though. (If is does happen to be related to SWB due to the d/l site selected, I evidentally didn't get it from that one, I guess). Pete
     
  14. Snowie

    Snowie Guest

    CON


    NOPE>>>NEVER ever used P2P.............


    As stated in an earlier post I am more than curious as to who is Fronting this network money............those Servers aren't running on peanut oil.........

    Shortly I will need to shut down but you can bet the "Dogs are on the stink"
     
  15. controler

    controler Guest

  16. Snowie

    Snowie Guest

    Lordy, Lordy, Ms Claudy......WHY ME!!!!!!!!
     
  17. Snowie

    Snowie Guest

    CON


    No, I didn't do any "sniffing".....sorry to say that I was just to busy at the time.........an now the entire network is blocked......an wont be able to "tempt" it until the weekend.....
     
  18. Snowie

    Snowie Guest

    Pete


    Try this.....click the download link just as you would to download SWB....then quickly click on another download site....wait awhile....see if anything happens........I will try duplicating the exploit this weekend.
     
  19. FanJ

    FanJ Guest

    Hi guys,

    As I see it, for the moment, we don't know whether it (what Snowman saw) is related to SpywareBlaster or not.
    It could be or not.
    We don't know at the moment.

    Hey Snowie,
    I wished that I could say "glad that I could help", but I'm afraid that I didn't help very much; so sorry my dear friend.
     
  20. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    I downloaded SB from that site, and there`s no problems and nothing trying to leave my puter
     
  21. Snowie

    Snowie Guest

    To ALL

    Let it be clearly understood that no accusations have been made in this thread.........an none will in regards to Spywareblaster


    There is defintely an issue here........its open to discussion....an some healthy tracking......eventually an answer will be found......

    It just so happens that I had just awoke ...turned on the puter....checked for spywareblaster updates an was advised to go to the download website.......thereafter....well you are reading the results......

    My concern is: What got INSIDE the system to make those Outbound attempts........an HOW did it get in......bypassing security.....nothing was installed that could cause that action.........therefore, it had to be in one of the internet temp folders or the temp folder itself.........I had attempted to download from the Server in question but it never opened so went to another Server............thats about all I can tell you guys....your guess as to what happened is as good as anyone else's.............but that Server could well be considered an exploit...imo..........in twenty years nothing has ever got pass my security as this did..........an thats a fact......

    This weekend I will check deeper into this
     
  22. Snowie

    Snowie Guest

    JAN

    Hey Buddy you did great.......your alertness led me to where this all began...if not for that I could have been searching for days....give yourself a pat on the back......job well done!

    Got to go now.....until later........take care....be happy....just cause you can



    Warm Regards

    Snowie The Snowman
     
  23. controler

    controler Guest

    Interesting part of their acceptable use policy

    "Network Usage Rules

    * Do not use your PlanetLab slice (account) to gain access to any hosting site resources that you did not already have.
    * Do not use one or more PlanetLab nodes to flood a site with so much traffic as to interfere with its normal operation. Use congestion controlled flows for large transfers.
    * Do not do systematic or random port or address block scans. Do not spoof or sniff traffic. "
     
  24. Snowie

    Snowie Guest

    CON

    Thanks for posting the info.....obviously someone was not playing by the rules......
     
  25. FanJ

    FanJ Guest

    Most interesting info -ugh-
    Nobody is going to forbid me to put a sniffer up, be it Port Explorer or AWPTA or whatever :mad:
     
Loading...
Thread Status:
Not open for further replies.