Torjans deceted

Discussion in 'other firewalls' started by Shinseraph, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. Shinseraph

    Shinseraph Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    6
    ii have detected some trojans from korea, israel , and even from here in the US and i wanted to know who to report them to and i do have their IP address and located with addres and such but what do i do with this information.
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Shinseraph

    ... and welcome to Wilders :).

    Is this trojans you are asking about or events in your firewall log?

    Regards,

    CrazyM
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Which trojans did your find? You can always send copies to submit@diamondcs.com.au for deeper investigation about them.

    Did you get them by email or in otherways?
     
  4. Shinseraph

    Shinseraph Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    6
    Well these are trojans that have been detected AND blocked but i am notified when they are found trying to "attack my computer and thanks for the greet lemme post the details on a couple

    1. {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
    {\*\generator Msftedit 5.41.15.1503;}\viewkind4\uc1\pard\f0\fs20 OrgName: Asia Pacific Network Information Centre \par
    OrgID: APNIC\par
    Address: PO Box 2131\par
    City: Milton\par
    StateProv: QLD\par
    PostalCode: 4064\par
    Country: AU\par
    \par
    ReferralServer: whois://whois.apnic.net\par
    \par
    NetRange: 220.0.0.0 - 220.255.255.255 \par
    CIDR: 220.0.0.0/8 \par
    NetName: APNIC6\par
    NetHandle: NET-220-0-0-0-1\par
    Parent: \par
    NetType: Allocated to APNIC\par
    NameServer: NS1.APNIC.NET\par
    NameServer: NS3.APNIC.NET\par
    NameServer: NS4.APNIC.NET\par
    NameServer: NS.RIPE.NET\par
    NameServer: TINNIE.ARIN.NET\par
    Comment: This IP address range is not registered in the ARIN database.\par
    Comment: For details, refer to the APNIC Whois Database via\par
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl\par
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry\par
    Comment: for the Asia Pacific region. APNIC does not operate networks\par
    Comment: using this IP address range and is not able to investigate\par
    Comment: spam or abuse reports relating to these addresses. For more\par
    Comment: help, refer to http://www.apnic.net/info/faq/abuse\par
    Comment: \par
    RegDate: \par
    Updated: 2004-03-30\par
    \par
    OrgTechHandle: AWC12-ARIN\par
    OrgTechName: APNIC Whois Contact \par
    OrgTechPhone: +61 7 3858 3100\par
    OrgTechEmail: search-apnic-not-arin@apnic.net\par
    \par
    # ARIN WHOIS database, last updated 2004-05-17 19:15\par
    # Enter ? for additional hints on searching ARIN's WHOIS database.\par
    \par
    OrgName: Asia Pacific Network Information Centre\par
    OrgID: APNIC\par
    Address: PO Box 2131\par
    City: Milton\par
    StateProv: QLD\par
    PostalCode: 4064\par
    Country: AU\par
    Comment: \par
    RegDate: \par
    Updated: 2004-03-01\par
    \par
    ReferralServer: whois://whois.apnic.net\par
    \par
    AdminHandle: AWC12-ARIN\par
    AdminName: APNIC Whois Contact \par
    AdminPhone: +61 7 3858 3100\par
    AdminEmail: search-apnic-not-arin@apnic.net\par
    \par
    TechHandle: AWC12-ARIN\par
    TechName: APNIC Whois Contact \par
    TechPhone: +61 7 3858 3100\par
    TechEmail: search-apnic-not-arin@apnic.net\par
    \par
    # ARIN WHOIS database, last updated 2004-05-17 19:15\par
    # Enter ? for additional hints on searching ARIN's WHOIS database.\par
    }

    2.
    OrgName: America Online
    OrgID: AOL
    Address: 22000 AOL Way
    City: Dulles
    StateProv: VA
    PostalCode: 20166
    Country: US

    NetRange: 172.192.0.0 - 172.211.255.255
    CIDR: 172.192.0.0/12, 172.208.0.0/14
    NetName: AOL-172BLK-2
    NetHandle: NET-172-192-0-0-1
    Parent: NET-172-0-0-0-0
    NetType: Direct Allocation
    NameServer: DAHA-01.NS.AOL.COM
    NameServer: DAHA-02.NS.AOL.COM
    NameServer: DAHA-07.NS.AOL.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2002-02-13
    Updated: 2003-08-08

    TechHandle: AOL-NOC-ARIN
    TechName: America Online, Inc.
    TechPhone: +1-703-265-4670
    TechEmail: domains@aol.net

    OrgAbuseHandle: AOL382-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-703-265-4670
    OrgAbuseEmail: abuse@aol.net

    OrgNOCHandle: AOL236-ARIN
    OrgNOCName: NOC
    OrgNOCPhone: +1-703-265-4670
    OrgNOCEmail: noc@aol.net

    OrgTechHandle: AOL-NOC-ARIN

    and heres the last and thanks for the help

    netname: KORNET-INFRA000001-KR\par
    descr: \tab Korea Telecom\par
    descr: \tab 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711\par
    descr: \tab GYUNGGI\par
    descr: \tab 463-711\par
    country: KR\par
    admin-c: IA32280-KR\par
    tech-c: IM32126-KR\par
    remarks: This IP address space has been allocated to KRNIC.\par
    remarks: For more information, using KRNIC Whois Database\par
    remarks: whois -h whois.nic.or.kr\par
    mnt-by: MNT-KRNIC-AP\par
    remarks: This information has been partially mirrored by APNIC from\par
    remarks: KRNIC. To obtain more specific information, please use the\par
    remarks: KRNIC whois server at whois.krnic.net.\par
    changed: hostmaster@nic.or.kr 20040607\par
    source: KRNIC\par
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Hi Shinseraph,

    What software product is catching these for you? Based on what you posted, it looks like it's your firewall as CrazyM was mentioning. Can you give us some details and there will be other things to post, detailed logs which show more information then that. How you find that information will vary by application, so let us know what product is alerting you.
     
  6. Shinseraph

    Shinseraph Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    6
    well i am currently using norton personal firewall and norton antivirus and this is what i am currently using, but i am planning to gt somethign else any suggestions as to which one i should buy?
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Ah, so its NPF giving those alerts. Those may well be default trojan blocking rules that are being triggered, and they may not be all that critical. Let's see what CrazyM or jvmorris have to say on those. (No pressure guys. :D )
     
  8. Shinseraph

    Shinseraph Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    6
    also something starnge is happening because i am currently connecting with AOL but now 4 outta my 5 connections say they are invalid or busy, when i open a website it says that AOL core something is trying to access using an unrecognized module and such what should i do ? o_O
     
  9. Shinseraph

    Shinseraph Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    6
    it is apperently saying "aol core application is attempting to access the internet using un regognized modules", im not sure of what this means but what would you guys suggest i do? it seems like every day, my pc is infected more and more :mad:
     
  10. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Well, I don't you think you should have traced those trojans attempts. It's almost like returning to the scene of the crime (I think ;) ). Simply tracing the attacker sort of tells him that you're there and will will therefore bring upon more attacks.

    If your NPF is blocking those attempts, then you should be fine. My suggestion would be to virus scan your computer. Also, post a HiJackThis log so we can see what maybe lurking around in settings. As for AOL, check your program rules and post them here. Also, list the numbers that will not connect and the one's that will.

    mVPstar ;)
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    More than likely, tracing will lead to some highjacked computer being used as a platform for remote scanning. Knowledgeable attackers will not expose their IP.

    Nick
     
  12. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Shinseraph,

    Let's start with some basic information.

    What version of norton personal firewall (NPF) are you using?

    What is your operating system?

    Now, how is NPF alerting you? Is the Alert Tracker popping out or are you seeing some sort of window appear on your monitor?

    What does the warning message say? (A screen-shot might come in handy here.)

    With some additional information, we may be able to tell you if you're seeing something new or simply something very old. At any rate, from what you've said so far, it sounds as if NPF is handling it.
     
  13. Shinseraph

    Shinseraph Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    6
    ok well i am using Windows XP, AMD ATHALON XP, about 2.1 gHZ, at the moment i use AOL dial up but on tuesday i will be using QWEST DSL, i am using norton personal firewall(2003) i beleive, notron antivirus 2003 aswell i beleive, and so far it seems to be blocking alot of the viruses and trojans but i get the feeling that some are still getting through because i get on th einternent it gives me a notification such as "Aerica Online is trying to connect to the internet using one or more unrecognized modules" and also with real player and interent explorer i get similar messages, and i would like to get some feed back on this, When i rnm norton the only thing it seems to ever find is adware but i try to remove it using the anti virus, it never does except maybe one or two out of around 12... :blink:
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Are these Firewall alerts?

    Do you have Program component monitoring or Program launch monitoring enabled? Are these alerts from those components if enabled? Check the following link for some info/comments on these:
    http://www.gpick.com/agnisrules/pages/settings/settings_pg17.html

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.