unknow connection

Discussion in 'Port Explorer' started by sabach, Jul 31, 2004.

Thread Status:
Not open for further replies.
  1. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H Sabach, If you are using Port Explorer then right click on the connection and select "disable sending" and or "disable receiving" or even "Kill Process"
     
  3. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
    well i d/l the port ex.
    and it says its mirc.exe....
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and welcome to the forum.
    After killing the connection (with Port Explorer or TDS for example) it's really important to scan your whole system for the x.exe and other files mentioned.
    And to have your system patched with all windows security updates.
    The object data exploit (which is part of this whole problem to start with) is only possible on unpatched systems. In most cases it started with a spam email or via a website being able to download the stuff on your system.
    It's good to check if you mstasks.exe is still the original un-modified version from your windows install.
    Any other uncommon symptoms?

    In case you are infected, the little proxy installed would make your system an open proxy and zombie system, on which they install whatever the guys like and one might suppose it's updated and reported via mIRC or ICQ about the zombie system being connected etc.

    So the patching, killing the process and connections and scanning deep and getting rid of it.

    Did not check the story quite a while for new links and behavior. So keep us informed how you're doing.
     
  5. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
    how can i know if mstasks.exe is modified ?
     
  6. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
    i didnt find mstasks.exe on my system
    ( i use xp pro sp1 )
     
  7. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
    Active Connections

    Proto Local Address Foreign Address State
    TCP IMMORTAL:1024 210.182.98.2:1762 ESTABLISHED
    TCP IMMORTAL:1027 199.218.240.90:2196 ESTABLISHED
    TCP IMMORTAL:3113 69.31.74.104:6667 ESTABLISHED
    TCP IMMORTAL:3756 194.106.206.47:6667 ESTABLISHED
    TCP IMMORTAL:4053 unknown.sagonet.net:6667 ESTABLISHED
    TCP IMMORTAL:http ads.x10.com:3122 CLOSE_WAIT

    how do i kill it in the prot exp?
     
  8. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
    i found x.exe and removed it
    and closesd mirc.exe
    and the TCP IMMORTAL:4053 unknown.sagonet.net:6667 ESTABLISHED
    is gone..
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    sabach, You need to scan your system with every AV, AT and Anti-spyware programs that you can. Make sure that they are fully updated.
    Get all the windows security patches and install them.
    Download TDS3 from here: http://tds.diamondcs.com.au/
    Also download the lates radius file and put it in the TDS3 folder - Reboot and then do a full system scan with all scan options enabled.

    Please let us know the results. Thanks Pilli
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If mstasks.exe is not there, it can't be modified either :)
    Normally if you would find the file, (windows search/find on your system or in TDS Process Lists) you can right-click on it to see it's properties.
    If those indicate a recent modification or the file is in a strange location then your original is most probably overwritten by the trojan download.

    Make sure in your windows you have folder settings to show all files and all file extensions, don't hide hidden files. (is it on XP My Computer > view > folders options > uncheck "hide hidden files" etc?)

    What you could notice are also things like using lots of bandwidth, lot of CPU activity, etc.
    Did you already reboot after deleting the x.exe file? If it is still somewhere, let TDS scan your system and tell if it is something (positive identification with a name) or a "suspicious" file -- in the last case i would like you to zip the thing and submit it to submit@diamondcs.com.au
    Either your file has another newer form, or one of the zombie-users (intruders on your system) uses it differently.
    With those mIRC connections you could expect keyloggers, trojans, etc.
    What was installed at least was the tinyproxy; maybe the file mstasks.exe is not founc back after doing it's job of installing that tiny proxy thing on your system.
    This is why i asked if you notice more things. Could be another startpage for instance, or you not being able to visit special websites related with anti-virus, redirections to sudden pages, etc.

    I'm expecting you to find these infections:
    Trojandropper.VBS.Zerolin which extracts TrojanDropper.Win32.Small.ei from itself and executes it.
    Small.ei in turn extracts two more Trojans from itself: TrojanNotifier.Win32.Small.d and TrojanProxy.Win32.Daemonize.j.

    Good that you discovered it this far already!

    Looks like you missed the critical updates described in the MS security bulletins.
    ObjData attempts to use the Object Type Vulnerability and Two vulnerabilities that could allow an attacker to cause arbitrary code to run on the user's system in MS Windows described in the following Security Bulletins:

    Microsoft Security Bulletin MS03-032
    Microsoft Security Bulletin MS03-040
    These vulnerabilities are critical since they allow for the execution of random malicious code when users visit specially constructed HTML pages.
     
    Last edited: Jul 31, 2004
  11. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
    hi first id like to thank u for helping me..!:)
    so tahnks!

    now. when i deleted the x.exe. and i used netstat. i noticed that the connection is gone..
    this is a good start..
    now i scanning with tds-3
    and i scanned with ad aware

    i do have zone alaram( but its not working coz i log into a website and it insalled thing to the pc...and i deleted it..)
    and also notron antivirus..which helps everynow and then
     
  12. sabach

    sabach Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    8
    that tds-3 doenst show athing
    and how can i know if im clean so far?
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    After downloading TDS, installing it with all other scanners closed temporary (your norton etc) visit back to the TDS download site for the latest update, reboot if you hadn't done so yet afer the install, after the reboot start TDS and let it do it's startup scans;
    now with norton and other scanners still closed completely, in TDS > system testing > scan control, check all scan options on both tabs and worm slider to the max, a full system scan, was this all exactly what you did an no alarm at all?
    Norton and other scanners might give TDS and other scanners not full access to all files and you could get less correct scans.

    The object data exploit might have come via an email or a website on your system, and if your system was not fully patched the exploit could get to a website with a script to forward you to a download site to get the tinyproxy installed on your system, which at the same time opens backdoors and makes your system a zombie proxy. So your firewall might protect you for other portscans, but the port is wide open for this nasty thing.
    Are there any unknown processes running in TDS > System Analyses > Process List?
    Are there any new additions to the AutoStart Explorer?
    If you look in the Task Manager do you see any strange processes running? And in The Port Explorer, maybe hidden (red text) processes?
    Hidden is not always illegal, but they need your attention to make sure what they are.
    I don't expect anything new in Add/remove, could be, you might like to check in your windows for every new created or modified process/file since the possible infection date and see if you know them all.

    If your full system scan was not done the way described you really should try.
    And like Pilli said, also with SpybotS&D, Ad-aware, online scanners like housecall, etc.
    If you now get any alarms in the TDS bottom console, rightclick on one of them and choose "save to text" which scandump.txt you can paste in your next posting.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Any news yet?
    To be prepared: after this i would like you to create a HiJackThis log (with all options checked) and post that in this same thread here.
    For the file and instructions please look in [thread]15913[/thread]
    Just to be really very sure that you are very completely clean.
    To create the HiJackThis log you can have TDS on, but not scanning at the same time, but if you have for instance AVG or other anti-virus scanners best to close them those few moments it takes to create the HJT log.
    Looking forward to your results.
     
Thread Status:
Not open for further replies.