Do You Know This One ?

At this very moment my firewall is being hammered by an outbound trojan that has eluded all attempts to locate it..........it may be contained in a program an calling home.................its "home" is:


planetlab13.Millennium.Berkeley.EDU

(ip address left out)


if anyone has seen this before please advise.........am about ready to do a reformat to get rid of this thing..............an you could save me that.

thank you


snowie

 

Not sure this could be considered an answer but its certainly something everyone NEEDS to read...........sure was new to me:


http://169.229.50.15



**** This machine is a node in the PlanetLab distributed network.

If you are visiting this website because you are receiving unwanted or unrequested traffic from this or any other PlanetLab node, please use the Search Form to identify the researchers responsible for the traffic, and report your complaint to them. The PlanetLab Support team (support@planet-lab.org) is copied on all complaints, and will ensure that your concerns are addressed in a timely manner.

PlanetLab is a global research network that supports the development of new network services. Since the beginning of 2003, more than 1,000 researchers at top academic institutions and industrial research labs have used PlanetLab to develop new technologies for distributed storage, network mapping, peer-to-peer systems, distributed hash tables, and query processing.

If you have received UDP traceroute packets from a number of PlanetLab nodes, you or another user on your network may have recently accessed a website cached by the Coral project, which runs on PlanetLab. Many websites, including Slashdot, regularly post "Coralized" links to popular content. Coral actively probes its clients using a fast traceroute-like tool, to determine the nearest proxy for its clients to use. If you do not want to receive such probes, discontinue accessing URLs that end in .nyud.net:8090. *****

 

Hi Snowman,

I have to admit that I am not sure (far from it !).

But somehow it made me think about one of the download sites for SpywareBlaster.
Have a look at this page:
http://www.javacoolsoftware.com/sbdownload.html
You will see there three download locations.
The third one is a download possibility through the Coral Distribution Network.
Looking at the properties of that URL, I see indeed that .nyud.net:8090. in it.

I don't know whether those things are related, sorry.
But I completely trust Javacool !!!
Maybe Javacool could tell a bit more

Cheers, Jan.


Edited to add :

Did you download recently the new SpywareBlaster from that third link?

As I wrote: I'm not sure whether it is related to what you were seeing...

 

Wow searching Coral Project in Google gives alot of info on these guys.

They appear to have huge penetration

http://www.coralcdn.org/

con

 

Dear Friend Jan


You are absolutely, completely, and totally CORRECT!!!! "SHO nuff" I had just download spywareblaster........an the link ".nyud.net:8090. " does belong to one of the download sites. Jan, that was extra alert of you to have noticed that.....thanks bunches.......cause I sure would never have connected the two........

oh I can trust Javacool without any problem....although I was disturbed by the scanning from that machine.......an yet, that to is normal behavior....so is no problem........I guess it hurt my ego..thought a trojan had entered the OS....an that has never happened before......an my swell-headed confidence just went out of the window...LOL (guess I needed a lesson in humility) even if it was a false alarm.

*********************************



controler

yes, you are also correct....thats a big network.....an kinda wondering who is backing it financially.........?

The entire network is now blocked on this machine.....

 

Forgot to mention.........the firewall was being hit "FROM THE INSIDE" by OUTBOUND attempts........this is odd behavior.......at the moment I have no solid answer...but can guess that "something" had been download to the temp folder.....or perhaps a "session cookie"....these are being widely used these days.......


guess this can be a good example for the need for a decent firewall with a good rule set..........but now I need to look deeper......an located the inner source of those OUTBOUND connection attempts.......an blocked it from happening again.........oh boy..an the beat goes on! By the way...the OUTBOUND connection attempts stopped the moment I did a "cleaning" of temp and cache

 

Hi, guys! I'll keep an eye on Port Explorer for awhile (logs and such) to see if I'm seeing anything similar here. (I just got the latest version of SWB, too). Pete

 

Pete

as a pre-caution I installed a clean backup made on 12/25/05.....that Outbound attempt hit the firewall 136 times.......thats a bunch!!

This coming weekend I will try to duplicate the behavior.....have never had this sort of thing happen prior to this an I don't like it. The Server may be a Saint....but how did it download "something" that attempted Outbound connections??

Most exploits are of no concern to me but this one caught my attention an it needs blocking....in a BIG WAY!!

Thanks for monitoring.........hope nothing shows.

Snowie

 

NP - Can you give me the exact IP it was trying to connect to? (I'll be able to track the Process ID that way if there's one connected to it in PE). Pete

 

Hi guys,

for your info:
Just only to get Javacool's attention, I started a thread in the SpywareBlaster-forum:
https://www.wilderssecurity.com/showthread.php?t=113957

 

Thanks Jan, I just posted a comment there.




****************************************************


Pete


The IP was : <169.229.50.15> OUTBOUND attempts to


<planetlab13. millennium.berkly.edu>

<169.228.0.0> - <169.237.225.225>

***************

U of C @ berkly

<169.229.0.0> - <169.229.255.255>

 

s
Hi snowy

are you useing a P2P client? They seem to be big into that sort of thing.

con

 

Since I turned PE on, there haven't been any calls to or from any IP address beginning with "169."

I'll keep watching, though. (If is does happen to be related to SWB due to the d/l site selected, I evidentally didn't get it from that one, I guess). Pete

 

CON


NOPE>>>NEVER ever used P2P.............


As stated in an earlier post I am more than curious as to who is Fronting this network money............those Servers aren't running on peanut oil.........

Shortly I will need to shut down but you can bet the "Dogs are on the stink"

 

snowie

if you really want to see what is going on go here and try Ethereal
if you aren't allready.

http://fileforum.betanews.com/detail/Ethereal_for_Windows/1010156969/1

 

Lordy, Lordy, Ms Claudy......WHY ME!!!!!!!!

 

CON


No, I didn't do any "sniffing".....sorry to say that I was just to busy at the time.........an now the entire network is blocked......an wont be able to "tempt" it until the weekend.....

 

Pete


Try this.....click the download link just as you would to download SWB....then quickly click on another download site....wait awhile....see if anything happens........I will try duplicating the exploit this weekend.

 

Hi guys,

As I see it, for the moment, we don't know whether it (what Snowman saw) is related to SpywareBlaster or not.
It could be or not.
We don't know at the moment.

Hey Snowie,
I wished that I could say "glad that I could help", but I'm afraid that I didn't help very much; so sorry my dear friend.

 

I downloaded SB from that site, and there`s no problems and nothing trying to leave my puter

 

To ALL

Let it be clearly understood that no accusations have been made in this thread.........an none will in regards to Spywareblaster


There is defintely an issue here........its open to discussion....an some healthy tracking......eventually an answer will be found......

It just so happens that I had just awoke ...turned on the puter....checked for spywareblaster updates an was advised to go to the download website.......thereafter....well you are reading the results......

My concern is: What got INSIDE the system to make those Outbound attempts........an HOW did it get in......bypassing security.....nothing was installed that could cause that action.........therefore, it had to be in one of the internet temp folders or the temp folder itself.........I had attempted to download from the Server in question but it never opened so went to another Server............thats about all I can tell you guys....your guess as to what happened is as good as anyone else's.............but that Server could well be considered an exploit...imo..........in twenty years nothing has ever got pass my security as this did..........an thats a fact......

This weekend I will check deeper into this

 

JAN

Hey Buddy you did great.......your alertness led me to where this all began...if not for that I could have been searching for days....give yourself a pat on the back......job well done!

Got to go now.....until later........take care....be happy....just cause you can



Warm Regards

Snowie The Snowman

 

Interesting part of their acceptable use policy

"Network Usage Rules

* Do not use your PlanetLab slice (account) to gain access to any hosting site resources that you did not already have.
* Do not use one or more PlanetLab nodes to flood a site with so much traffic as to interfere with its normal operation. Use congestion controlled flows for large transfers.
* Do not do systematic or random port or address block scans. Do not spoof or sniff traffic. "

 

CON

Thanks for posting the info.....obviously someone was not playing by the rules......

 

Most interesting info -ugh-
Nobody is going to forbid me to put a sniffer up, be it Port Explorer or AWPTA or whatever