unknown.sagonet connection? whats this?

Discussion in 'Port Explorer' started by jordan777rn, Jul 3, 2004.

Thread Status:
Not open for further replies.
  1. jordan777rn

    jordan777rn Guest

    Hi I am a newbie who is using tds and port explorer, for the last few weeks I have had a connection unknown.sagonet on my machine which is leeching bandwidth I think, the ip is 207.150.164.168 and the country via port explorer is united states. Is this a virus or trojan or other exploit. Either way I was wandering how I could permenantly stp this connection.

    Any recommendations or help appreciated
    David
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and welcome!
    Yes that is a nasty, you should kill the connection immediately and find the things on your system also via the hijackthis log - review forum.

    You most probably did not patch your windows, as this is an object-data exploit.
    It is included in emails like those for the cheap software, medications, etc.
    The object data exploit thing redirects you to a site to grab a download mstasks.exe (think it was, will come back after i look carefully for the exact names) which is a downloader for other malware, x.exe or z.exe, which installs the tiny proxy on your system, leaving backdoors and opening the gates for all who like a proxy, stealing your bandwith and resources; turning your system into a zombie, spammign around to spread the infection.
    the first i was aware of redirected to fatbonuscasino and it is even located on the premium yahoo netservers. Even with many complaints yahoo never removed it, probably makes them good money.
    The link changed various times, and the ownership, name of the domain changed too a few times.
    Via via those are all tracable to China. Sagonet is involved too in the story, think the X.exe came from there.

    NetRange: 207.150.164.160 - 207.150.164.169
    CIDR: 207.150.164.160/29, 207.150.164.168/31
    NetName: SAGO-207-150-164-160
    NetHandle: NET-207-150-164-160-1
    Parent: NET-207-150-160-0-1
    NetType: Reassigned
    Comment: NOCWorx SWIP Interface v1.5 - http://interworx.info
    RegDate: 2004-06-24
    Updated: 2004-06-24

    AbuseHandle: ABUSE32-ARIN
    AbuseName: Abuse Team
    AbusePhone: +1-866-510-4000
    AbuseEmail: abuse@sagonet.com

    the VBS script resolves to:
    revealign as Trojan.Proxy.Daemonize.T.Dropper
    The payload appears to be Trojanhorse Dropper. Inor J ,
    Trojanhorse Downloader. Small BG and
    Trojanhorse Proxy.4.AM
    in the meantime probably more


    mstasks.exe
    The mstasks.exe file is a UPX compressed executable. When decompressed
    it has its own code to do some stuff (it includes the strings
    "Olive System"
    "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    "\suchost.exe"
    "\suchostp.exe"
    "suchostp.exe -p%u"
    "suchostp.exe"
    "SOFTWARE\Microsoft\Mctest\"
    "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    "cmd.exe /K del %s"

    so we have a spammer installing a proxy on victims' machines, converting
    them into the spammer's own spam-zombies, or worse.

    The SUCHOST.EXE file sends a html message to a server

    fatbonuscasino is an alias for p2.geo.premiumservices.yahoo.com
    777onlineslot is an alias for geo.premiumservices.yahoo.com
    both belonged to some Belgian guy, now it's another owner.
    wildwincasino is one if the redirects too,
    located at
    Name Server.......... yns1.yahoo.com
    Name Server.......... yns2.yahoo.com
    casinomeister,
    bethehealer,
    NS.conet.net are involved too, and lots more..

    Had at a certain moment emails which seemed empty, but in the source the exploit was visible all time.

    End of May the business went to an Israelian owner, did not follow exactly what happened after that.

    ramisoft was part of it, located the nasties here
    NS1.SAGONET.COM 66.118.128.2
    NS2.SAGONET.COM 66.118.128.3


    All together [highlight]this is a rather serious condition[/highlight], think of sensitive data, creditcard numbers, bank accounts, all that. So get clean and rid of those nasties, when all clean and updated and all that change all passwords, even the most unimportant ones.
    Your computer at the moment is a highway-zombie on the internet!




    So please first of all, good you have Port Explorer with which you now have seen trojan behavior in action and which is part of the story. You might like a few moments to spy on a few datapackets from such connections to gather some proof for yourself, but don't leave that up too long as the capture.bin grows fast!

    In the meantime please update your windows via the windows update site and if there look carefully if you are really there and not redirected (spoofed) to one of their fake sites.
    Maybe to avoid that you like first to clean out via Hijackthis, see the instructions and how to post in that forum in [thread]15913[/thread]

    BTW: to be able to post there, you need to join the forum as a member (which is free of course)

    Please post back your next experiences!
     
    Last edited: Jul 3, 2004
  3. RogueWriter

    RogueWriter Guest

    I'm seeing unknown.sagonet in my stats for my web site, what's up with that? It 'visited' my site 450 some times last month. Is it acting as a spider, or is it just someone's PC that is infected that is being hijacked for some use?
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I found some info about this sago thing... Its from a company called Sago Networks.

    Name: Technical Support
    Handle: TECHN20-ARIN
    Company: Sago Networks
    Address: 4465 W. Gandy Blvd.
    Address: Suite 800
    City: Tampa
    StateProv: FL
    PostalCode: 33611
    Country: US
    Comment:
    RegDate: 2002-11-08
    Updated: 2002-11-08
    Phone: +1-866-510-4000
    Email: *******@sagonet.com
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please see my description above about the infection and which files to look for etc. etc........

    PS: since we officially don't have the HJT cleanout service, you can either in this case post your HJT log or autostartViewer log (use all options to make it complete) here or submit to support@diamondcs.com.au (when a mod asks for it you have permission to have it checked) or you could have it done on one of the ASAP forums where the service is still available.
     
  6. So what causes this to happen exactly?
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You might have clicked an infected spam mail sending you to such an auto-download - installation and transforming your system in a digital highway (open proxy) and users doing everything on your system they want, including storing discutable websites, not mentioning storing or using sensitive information. So best prevent infection and if infected get rid of it like described.
     
  8. unregisted

    unregisted Guest

    Sagonet is a datacenter, in case anyone doesn't know, servers are where people put their webservers. I would recommend you contact them personally about your problem, if someones mis-using their services (As I suspect) them they are the type to take a hard-line on it.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I did explain sagonet what's going on, forwarded the thread, whole internet is filled with discussions about them, IP's blocked and blacklisted elsewhere, so they really must be aware what's going on. Thousands of thousands complaints have gone there if you look in the internet abuse lists.
    And then i can't think this reaction is the "hard line" is it?
    Quote from sagonet to me:
    As you see it really doesn't help, just block the whole IP range in your firewall and Port Explorer, clean out the system for eventual garbage and stay away from everything which could infect your system. :)
     
Thread Status:
Not open for further replies.