Parasite connection to port 5190 [hijacked AOL session]

Discussion in 'other security issues & news' started by Avian Avis, Feb 10, 2006.

Thread Status:
Not open for further replies.
  1. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Hello all, I am new here, I hope to get some help on the following problem:

    I am on win98se and I have AOL dial-up connection. I use it only as internet connection and I don't use their software. If you are familiar with AOL, you know that it forcibly connects to port 5190 udp for its own spying purposes as it also monitors all processes on your PC with its idleproc.dll (at least AOL7 does that). Well, I've long renamed idleproc.dll to something else and by so doing eliminated AOL's connection to 5190. Since then when I use AOL it only connects to the dial-up proxy at port 13784 and that's the normal state of affairs.

    Yesterday I had a strange event. First I had an unexpected crash during an internet session, rebooted computer, reconnected to AOL. Then I checked the TCPView screen as I usually do and saw that besides the normal AOL connects there was also a sort of a mirror image of all the endpoints but only from some different ISP :blink: It looked something like this:

    UDP ak:1029 *:*
    UDP ac914xxx.ipt.aol.com:nbname *:*
    UDP ac914xxx.ipt.aol.com:nbdatagram *:*
    TCP ak:0 ak:0 LISTENING
    TCP ak:1029 ak:0 LISTENING
    TCP ac914xxx.ipt.aol.com:137 ak:0 LISTENING
    TCP ac914xxx.ipt.aol.com:138 ak:0 LISTENING
    TCP ac914xxx.ipt.aol.com:nbsession ak:0 LISTENING
    TCP ac914xxx.ipt.aol.com:1027 ak:0 LISTENING
    TCP ac914xxx.ipt.aol.com:1027 ats-xxx.dial.aol.com:13784 ESTABLISHED
    UDP ak:1029 *:*
    UDP smthg.notaol.com:nbname *:*
    UDP smthg.notaol.com:nbdatagram *:*
    TCP ak:0 ak:0 LISTENING
    TCP ak:1029 ak:0 LISTENING
    TCP smthg.notaol.com:137 ak:0 LISTENING
    TCP smthg.notaol.com:138 ak:0 LISTENING
    TCP smthg.notaol.com:nbsession ak:0 LISTENING
    TCP smthg.notaol.com:1027 ak:0 LISTENING
    TCP smthg.notaol.com:1027 216.85.x.x:5190 ESTABLISHED

    "ak" is the name of my computer, I don't remember what the exact address of the parasite ISP was but it sounded like a cable or broadband (tnt4.uu.net I think). I was totally shocked and immediately killed the AOL connection, the other one disappeared too, AOL started closing down, then I got a crash.

    To begin with I'd like to understand what happened and how is it possible that I got two distinct internet connections at the same time? (it looks like I had two IPs assigned to my one PC) No scans with either a-squared or bitdefender8 or antivir7 detected any trojans or whatever.

    Maybe this is something like filesharing or bittorrent thing trying to use my computer? I just have no clue here.

    Thank you.

    PS. I use Antivir 7 and no firewall at the moment (resource-hog).
    PSS. I have no chat programs installed - except for AOL's AIM which I don't use.
     
    Last edited: Feb 12, 2006
  2. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Re: Parasite connection to port 5190

    NO FIREWALL!!!! naw, now that wont work.....wont work at all....


    on a win98se there is zone alarm 2. 6 that works well....lite enough for you to use................an there is Kerio 2.15 which is very lite.....either one YOU NEED IMMEDIATELY!!!!!!!!

    Friend this is an honest as it gets...you need a FIREWALL!!! if you don't understand Firewalls go for zone alarm 2.6.......will provide you with a download link if you like.



    snowie
     
  3. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Re: Parasite connection to port 5190

    Thank you for your concern. Next thing you'll tell me to get the hell off the bad-bad AOL :) Also fyi Kerio went XP-only some time ago.

    Anyhow I thought maybe somebody who has a clue about networking could explain how this situation could arise. My guess is that it's got something to do with AOL's VPN protocol, maybe two sessions can be established simultaneously. But for this to happen I figure something needs already to be present on my computer to initiate such a trick. Like a trojan server :))

    Another question i've been pondering recently: rootkits on win98... Not one rootkit hunter is made for win9x apparently because under this OS the PID for an open port just can't be gotten. Does this mean rootkits have a free-go on all Win9x systems? Ouch.
     
  4. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Re: Parasite connection to port 5190

    Avian Avis

    really I could care less if you use or don'y use AOL....thats your business the ISP you prefer........


    Kerio 2.15 works very well on win98......an has done so for several years...........would not have suggested it otherwise...............the Newer Version of Kerio is for XP..........also, did you fail to notice the mentioning of zone alarm 2.6.............an older version of zone alarm but protects a computer decently enough.............

    Avian Avis I have no interest in debating with anyone.......you need a firewall BADLY.......but the choice is entirely your's.......so if you don't want to install one that to is your choice..............
    Without a Firewall you would be amased at what could enter your computer.....an you sit there wondering why you have "un-known" connections..........or wondering if you have a Trojan.........hell, you most likely have the bathtub in that computer as well.....LOL.......the kitchen sink....an the hair dryer.............beginning to get the point??/

    Root Kits......kind of ahead of yourself there friend............

    kick it back to me if you want that link for a firewall.........in your case...judging by your comments......zone alarm 2.6 may be in your best interest..........its as easy to use as it gets......but again..if you are not interested.....good luck..... SeeYa
     
  5. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Re: Parasite connection to port 5190

    Heh, I don't pose as an expert when I am no such thing;) ...Good luck with your firewall advocacy.... and other issues....
     
  6. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Re: Parasite connection to port 5190

    Avian Avis


    An the very best to you as well
     
  7. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    The soap-opera with zombifying/hijacking attempts continues so I thought I'd update this thread.

    There has been some progress. As per usual no amount of scanning (Bitdefender, Antivir7) or installing guards like a-squared detects anything at all. My computer appears pure :D
    Meantime Outpost Firewall (old freebie v.1.0.1) shows severe wrong-doing during certain evening hours:

    1st internet session - unauthorized incoming connection from chinese ISP established (udp connect 221.208.208.8 remote port 32916 local port 1027)
    I terminate internet session.
    2nd internet session immediately after - WAOL.exe establishes unheard-of connection to that uu.net host in my town :ouch: and while this is going on TCPView shows everthing to be a perfectly normal aol dial-up session. Great.
    I terminate internet session :)

    This time there was no question of port 5190 as such.

    This only happens when I am on AOL, initiated internet session gets spoofed somehow, so I just uninstalled AOL for the time being. Prior to all this druing the day I had windows crash during a connection and when I booted back I discovered a log file in the windows/local_settings directory - the contents seem to reference some other computer which runs XP (I run Win98se) - attaching this file just in case. Of course it shouldn't be on my computer and I strongly suspect that I can see it only because windows crashed and it couldn't get cleaned up properly.

    I will post more on this after reinstalling AOL.
    Still wondering what might be going on though :blink:
     

    Attached Files:

    Last edited: Feb 12, 2006
  8. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Re: Parasite connection to port 5190

    FYI ONLY:



    waol.exe

    waol.exe - Here is the scoop on WAOL as it pertains to computer network security. The big question: what is waol.exe and is it spyware, a trojan and if so, how do I get rid of WAOL?
    waol.exe (WAOL) - Details
    The waol.exe could be the main application for your AOL installation. However, a (coolwwwsearch) parasite can sometime also show itself as waol.exe. This process should be treated with caution until it is proven that it is not the coolwwwsearch parasite.

    waol.exe is considered to be a security risk, not only because spyware removal programs flag WAOL as spyware, but also because a number of users have complained about its performance.

    WAOL is likely spyware and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of waol.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information.

    SEE: http://www.auditmypc.com/process/waol.asp

    __________________________



    SEE ALSO:
    http://www.norton.com/avcenter/venc/data/adware.conspy.html

    _____________________________



    as stated.......posted FYI only............may not have anything to do with your present situation but seems a "need to know" since you posted this:



    1st internet session - unauthorized incoming connection from chinese ISP established (udp connect 221.208.208.8 remote port 32916 local port 1027)
    I terminate internet session.
    2nd internet session immediately after - < WAOL.exe > establishes unheard-of connection to that uu.net host in my town and while this is going on TCPView shows everthing to be a perfectly normal aol dial-up session. Great. ***
    ***
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Re: Parasite connection to port 5190

    This probably explains the log file (basically the XP path in there is debug information from the system the program was built on):

    http://castlecops.com/t133843-Documents_and_Settings_rcorlateanu_Visual_Studio_Projects.html

    It'd be nice to know the specific rogue IP address that is being connected to when that happens. It might help to determine what's going on if you can find out exactly what that points to. For instance, if it turns to be the home IP address of just some person out there, obviously that would lead to thoughts a trojan or spyware. But, if it turns out to be some sort of local proxy used by AOL, then it might be legitimate, and simply the result of a change in the network routing (even a temporary reroute for some reason) between you and the provider.
     
  10. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Re: Parasite connection to port 5190

    Alright, Mark, thanks - this sounds like a bitdefender log indeed as I only installed it two days ago (there's is a bunch of tmp folders besides).

    The rogue IP is this (don't want it googled). I tend to believe it's a private address rather than an AOL proxy. These hijacking attempts don't occur all the time, only on some days around 5-6pm or like yesterday it was a saturday evening. Perhaps some chap is relaxing after a hard day's work :)
    For all I know uu.net is a hub provider among other things and people who want T1 connections and fast stuff like that get it from uu.net
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Re: Parasite connection to port 5190

    UUNET is (was, pre-merge with Verizon) indeed a large provider in the Internet. They have a good chunk of the backbone, but, that does appear to be some customer's IP address and not a proxy or cache server. If it isn't your address (ie. AOL using UUNET services to provide its local connectivity in your area, which is possible), and you are connecting to it only at some times, but not others, then it is possible you have a compromised system. Although it could also be a severely messed up network stack, thanks to the wonders of the AOL connectoid.
     
  12. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Re: Parasite connection to port 5190

    Nice try, Snowman. But it doesn't apply, I am afraid (coolwwwsearch? I use Opera). Besides - didn't I predict earlier in the thread that your next logical step would be to point the finger at AOL as a bad-bad proggy? :D:D

    Just kidding. I am really grateful you haven't tried to make me drop Windows and switch to Linux already :) In the meantime I decided to test-drive Kerio 2.1.5 as per your suggestion - it's alright but I seem to notice that it doesn't allow to break a connection like Outpost does. It's only a bit lighter than the old Outpost I have. And it's also application/rules-based. Pretty much the same thing, it seems to me.

    Anyhow, have a nice weekend.
     
  13. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Re: Parasite connection to port 5190

    My AOL's dial-up servers are all in the 152.x.x.x domain, if i recall correctly. The chinese IP is also part of the equation though, I already had a fleeting intrustion from a 221.x.x.x address a couple of weeks ago (I had TrojanHunter Guard installed at that time - didn't react). I don't know how bad AOL needs to mess up to get involved with a chinese IP :blink:

    I guess I'll just continue to bait the wilds of internet with a reinstall of AOL and see what happens. I don't know what else I could do - except set the firewall to block-most mode or some tight-ass tactics like that :doubt: But then I will never know what's been causing all this...
     
  14. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Re: Parasite connection to port 5190

    Avian Avis



    Have already bluntly told you that I could care less which ISP that you use...........no where have you seen me post anything saying to get rid of your ISP.........your comment to this effect was un-founded in fact. It's entirely your business if you use known spyware.....an was giving you the benefit of the doubt....in case you were not awear of the spyware contents..., an as well alerting you to a possible trojan.

    In fact, a temp solution would be to use the Firewall to simply block the NetRange of the offending party..or route it to the localhost....denieing access to your computer........

    This was your second attempt to be rude......have only tryed helping you.....an your attitude lacks common decency and appreciation.................so, its best we go our seperate ways....hopefully in peace...if thats possible at this point.............an not have further contact now or in the future.

    Will once again wish you all success in solving your problem.
     
  15. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Re: Parasite connection to port 5190

    To snowman:

    Alright. I won't stalk you on the forum, promise :)
    The reason I am not yet blocking this addy is because I want to see what it's all about.

    ____

    As to the rest of the story:
    1) I reinstalled AOL without disabling idleproc.dll (which connects to port 5190 and some AOL proxy)
    2) First connection without firewall - uu.net bastard kicked in immediately.
    3) Second connection with firewall set to block-most: uu.net never showed up, however I had to block this beauty: 214.149.6.143

    whois:
    214.0.0.0 - 214.255.255.255
    DoD Network Information Center
    3990 E. Broad Street
    Columbus, OH
    US
    Network DoD
    HOSTMASTER@nic.mil
    +1-800-365-3642

    Sign on to AOL and get probed by US Department of Defense? Somehow I am not surprised :)

    Very amused here and will investigate all this further, and keep you posted in case these things start happening to other folks. Meantime, the chinese connection remains a mystery... :8
     
    Last edited: Feb 12, 2006
  16. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Re: Parasite connection to port 5190

    That's the actual snapshot of the TCPView I got with uu.net shadowing aol.com connections:

    UDP ak:1028 *:*
    UDP ac910xxx.ipt.aol.com:nbname *:*
    UDP ac910xxx.ipt.aol.com:nbdatagram *:*
    UDP 21cust21.tnt4.xxx.xx.da.uu.net:nbname *:*
    UDP 21cust21.tnt4.xxx.xx.da.uu.net:nbdatagram *:*
    UDP 21cust21.tnt4.xxx.xx.da.uu.net:5190 *:*
    TCP ak:0 ak:0 LISTENING
    TCP ak:1028 ak:0 LISTENING
    TCP ac910xxx.ipt.aol.com:137 ak:0 LISTENING
    TCP ac910xxx.ipt.aol.com:138 ak:0 LISTENING
    TCP ac910xxx.ipt.aol.com:nbsession ak:0 LISTENING
    TCP ac910xxx.ipt.aol.com:1027 ak:0 LISTENING
    TCP ac910xxx.ipt.aol.com:1027 205.188.50.152:5190 ESTABLISHED
    TCP 21cust21.tnt4.xxx.xx.da.uu.net:137 ak:0 LISTENING
    TCP 21cust21.tnt4.xxx.xx.da.uu.net:138 ak:0 LISTENING
    TCP 21cust21.tnt4.xxx.xx.da.uu.net:nbsession ak:0 LISTENING
    TCP 21cust21.tnt4.xxx.xx.da.uu.net:1026 ak:0 LISTENING
    TCP 21cust21.tnt4.xxx.xx.da.uu.net:1026 ats-rdd.dial.aol.com:14324 ESTABLISHED
    TCP 21cust21.tnt4.xxx.xx.da.uu.net:5190 ak:0 LISTENING


    I would love to understand how this can even happen :8
     
  17. GUI_Tex

    GUI_Tex Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    189
  18. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    On to the "dual IP saga" as I now call it between me, myself and I :ninja:

    There are distinctive symptoms prior to the onset of the uu.net invasion:

    1) An attempt to connect to AOL goes sour after it reaches their modems: "can't establish PPP link" error, aol drops connection, and the next phone number kicks in.
    2) Connection is established on the second phone number, uu.net is set as my IP address (ipconfig says) while aol.com IP sits on top of it for an unknown purpose with all the same local ports open (as shown in the previously posted tcp-view).

    The distinctive feature of my machine running on a uu.net IP is that the first thing it does it connects from local port 5190 to remote port 5190 of the aol proxy (while this never happens with the regular aol.com IP after I disfigure the idleproc.dll). Then it drops the 5190 connection. Maybe it's some new AOL spy feature, I just don't know.
    AOL also seems to disable block-most firewall settings (i recall it has a dat file somewhere specifying which fw's it will disable).

    I haven't been able to discover any confirmation that uu.net is currently being used by AOL as just another pool of ip addresses.

    <Comic relief>
    a-squared guard says: firewall is malicious, waol is malicious, regseeker is malicious...

    Run for yer life :D
     
  19. Avian Avis

    Avian Avis Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    15
    Gotta close this thread for future reference.

    First of: like the network-savvy members commented here, the whole issue is not security-related in no manner at all, it's just AOL going nuts on a personal computer.

    AOL uses uu.net and aol.com simultaneously. It creates two PPP links on my pc. In this case the connection is very slow because the link to the internet has to go round-about through a uu.net router/firewall or what not. From trace-routes I get the impression that I am behind two firewalls (one aol.com, one uu.net) which is just way too slow to surf. So I have to break that connect and re-connect and get the usual one link setup. It seems that this double-ppp happens when aol networks are overloaded and they try to pass some of it to uu.net but it's a drag really.

    My understanding of networking is two basic to go into any detail here, the bottom-line is that it's not a breach-of-security issue and I panicked out of ignorance - which is constantly the case with security :) too many lamers being fed horror stories... paranoia usually results :))
     
Loading...
Thread Status:
Not open for further replies.