Question on 3 Items

Discussion in 'Trojan Defence Suite' started by Mike20041, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. Mike20041

    Mike20041 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    11
    3 detected NTFS Data Streams:

    _restore.mln/{1e5795f9-77ea-40b9-871c-9b6921aa9686}\rp91\a0021203.mln

    _restore/{1e5795f9-77ea-40b9-871c-9b6921aa9686}\rp91\a0021207.ink

    _restore/{1e5795f9-77ea-40b9-871c-9b6921aa9686}\rp91\a0021213.mnc

    Should I delete these 3 keys?

    MZ Exe: Unknown on all 3
    Name: :a

    Another question concerning ports, in reference to 32656:

    Could someone please advise me what problems/trouble occur from this port it has been under attack very often, here lately.

    Thanks
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Mike20041

    ... and welcome to Wilders :)

    http://isc.incidents.org/port_details.php?port=32656

    If it is related to Kazaa Lite and your firewall is blocking it, nothing to worry about. If your IP is dynamic try changing it and see if that helps in reducing those log entries.

    Regards,

    CrazyM
     
  3. Mike20041

    Mike20041 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    11
    Thx for the update on this info

    The strange thing is I don't use Kazaa at all, never have...

    My PC has been under attack by the following ports for 6 hours 26 minutes and still is under attack.

    It goes like this:

    32656 many times
    80 ICMP Echo request
    137 once, then it loops

    I have been monitoring it and anything that has wait or established I close the socket on immediately.

    I have another question you might be able to answer...

    GRC.com always shows a TAG "certain computer name & location linked to the PC" on my pc, how would I stealth this? It worries me because whoever can see this knows that its a active PC.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If your IP is dynamic, you may have inherited one that was previously being used by someone who does use Kazaa. It is not unusual to see this happen with dynamic IP's.

    This type of traffic being blocked by a firewall is not really an attack, and nothing to worry about. As suggested, if your IP is dynamic try doing an ipconfig /release and then ipconfig /renew at the commond prompt to get a new IP and see if that helps.

    Just where is it you are seeing/dealing with these wait/established connections?
    Any of these this port 32656 you are concerned about?

    Are you refering to the part about "The text below might uniquely identify you on the Internet"?
    If so, and it is something that never changes, then it something you would want to know about. If it changes along with your IP, then no real need to worry. Your IP and reverse DNS provided by your ISP is not something you can stealth or hide unless you go through an anonymous proxy service.

    Regards,

    CrazyM
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello there and welcome!

    About the NTFS streams, they are in system restore so if you disable system restore, reboot and enable it again all former restore points are deleted and you make a new restore point manually.
    How large/small are they?
    If TDS alarms on them, since they are probably .exe files, Gavin might be interested in them, is it possible to submit them from the alerts console before you delete them via the restore tric i just described?

    For the "kazaa attack" i think somebody just kept trying, but your firewall stopped it, like CrazyM described.
    In general try not to backtrace attackers.

    With Port Explorer you can do some more investigation on the attackers, who/what is trying to connect to you/which application, hidden and suspicious connections, so if there would be any application or trojan be responsible (those in system restore i doubt that those could be active from there but i might be wrong) you see it in your Port Explorer screen immediately.
    I just checked and no scans on that port here, to give an example.
     
  6. Mike20041

    Mike20041 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    11
    The IP refresh did the trick, the second thing I noticed, sorry bout this... the unique ID is tied into the IP. Thanks for the assistance with this

    TDS-3 Netstat Remote/Established/Above 5000

    Right clicking on that enabled me to shut it down.

    I will submit them before I shutdown system restore, I never use system restore since I do a full format and reinstall.

    I will also report back on the file size.

    Thanks for the assistance
     
  7. Mike20041

    Mike20041 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    11
    Stream 1 is 497kb
    Stream 2 is 497kb
    Stream 3 is 521kb

    I have no option submitting in the alert area Left click or right click

    I am submitting under help

    I had to choose dump stream to file

    TAGS as sent

    stream1.exe
    stream2.exe
    stream3.exe
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, thanks for submitting them. I forgot to ask to zip them preferably if you sent them that way. These are big guys and definitely worth an investigation. Let's wait for Gavin's confirmation of receipt before deleting them definetely.

    Second important thought (maybe): if something is in system restore, i suppose there is or has been an original on the system.
    After being in system restore i guess such files have no original date and time when they entered your system anymore i guess? Such details might be interesting to look if there were maybe other things going wrong and your firewall logs and windows find/search for new files that day/time might give information around that same time, etc.
    Did you recently find any infections or suspicious files anywhere else?
    You might have been very lucky of the thing(s) possibly not having been able to execute, or they might be part of the other ports knock problem.
    So if that kind of behavior is still going on, it's most certainly wordt to look with Port Explorer if anything unwanted is going on (connecting, trying to connect, blocked by the firewall in- and outgoing traffic, etc)
    Fingers crossed the TDS Exec Protection blocked any execution if those are nasties!
     
  9. Mike20041

    Mike20041 Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    11
    I already sent them, but they were not zipped if you like I can zip and resend...

    I will check back in an hour or two

    I started using Port Explorer about one hour ago and I like it.. Big Grin

    I am uncertain where to find this information...

    I did about two days ago, but I simply deleted them. [8] thumbs.db files appeared under the alert panel (mainly within my documents user accounts and various other folders)
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I did about two days ago, but I simply deleted them. [8] thumbs.db files appeared under the alert panel (mainly within my documents user accounts and various other folders)

    Hi Mike20041, Thumbs.db is a genuine windows file and is used for the collation of image files.
    You can set your data streams to ignore any streams less than about 128bytes as there is unlikely to be any harm in such a small file, most are 88 bytes and are generated by windows.

    HTH Pilli :)
     
Thread Status:
Not open for further replies.