Page 1 of 1
I suspect I've been 0wn3d
Posted: 2005-02-23 12:00pm
by Datana
While going over my firewall logs yesterday, I noticed something strange -- my computer had made a half dozen attempts at uploading something via POP to 67.201-252-78.telecom.net.ar without asking for permission over the course of the past two days. As I don't know anyone in Argentina, I immediately began to suspect that my box had been hijacked. A spyware sweep revealed nothing, however, and an antivirus scan similarly yielded no results. There are no strange services or executables visibly running. In addition, I can't think of a vector; the only thing I installed recently was the update of Adobe Reader from 6.01 to 7.0, and I've only started up IE a handful of times in the days before the odd entries appeared.
Am I just being paranoid? Is there a legit program that might try connecting to such an odd address? Google yields no results on any viruses or trojans that send to that domain, but it's a known spammer-laden ISP. If it's not paranoia, what else can I try to do to track down the program trying to call out? I'm going to nuke my system as a precaution in a few days, but until then, I want to see if there's anything else I can do to isolate the source.
Posted: 2005-02-23 12:22pm
by Xon
If you are running Win9x, please dont.
Otherwise, there is a tool which should pick up any current rootkits for the Windows NT line :
linky
You need a fair amount of technical knowladge of windows to figure it out, and you can post a screenshot here or the CSV file the commandline version can output.
This tool
only works if the rootkit is using some type of stealth, stuff which doesnt try and hid itself isnt going to showup at all.
Posted: 2005-02-23 12:58pm
by InnocentBystander
Just go into the command prompt and run netstat (equiv of tcpdump). If you have active connections to places you shouldn't, then you could be in trouble.
Posted: 2005-02-23 01:25pm
by Datana
ggs: The RootkitReveal log is below. I don't see any strange files, but I don't recognize any of the HKLM Registry entries. I've done a relatively thorough search for anything out of the ordinary among visible entries in startup and services, and have found nothing that wasn't there before (excepting Adobe License Manager, which was added during the install of Reader 7.0).
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 18/02/2005 8:19 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\MRxDAV\EncryptedDirectories 08/08/2004 5:51 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties 08/08/2004 10:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Services\MRxDAV\EncryptedDirectories 08/08/2004 5:51 PM 0 bytes Access is denied.
C:\$AttrDef 25/02/2004 4:02 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 25/02/2004 4:02 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 25/02/2004 4:02 AM 111.78 GB Hidden from Windows API.
C:\$Bitmap 25/02/2004 4:02 AM 3.49 MB Hidden from Windows API.
C:\$Boot 25/02/2004 4:02 AM 8.00 KB Hidden from Windows API.
C:\$Extend 25/02/2004 4:02 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 25/02/2004 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 25/02/2004 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 25/02/2004 12:41 PM 0 bytes Hidden from Windows API.
C:\$LogFile 25/02/2004 4:02 AM 64.00 MB Hidden from Windows API.
C:\$MFT 25/02/2004 4:02 AM 84.70 MB Hidden from Windows API.
C:\$MFTMirr 25/02/2004 4:02 AM 4.00 KB Hidden from Windows API.
C:\$Secure 25/02/2004 4:02 AM 0 bytes Hidden from Windows API.
C:\$UpCase 25/02/2004 4:02 AM 128.00 KB Hidden from Windows API.
C:\$Volume 25/02/2004 4:02 AM 0 bytes Hidden from Windows API.
F:\$AttrDef 08/08/2004 10:37 AM 2.50 KB Hidden from Windows API.
F:\$BadClus 08/08/2004 10:37 AM 0 bytes Hidden from Windows API.
F:\$BadClus:$Bad 08/08/2004 10:37 AM 111.78 GB Hidden from Windows API.
F:\$Bitmap 08/08/2004 10:37 AM 3.49 MB Hidden from Windows API.
F:\$Boot 08/08/2004 10:37 AM 8.00 KB Hidden from Windows API.
F:\$Extend 08/08/2004 10:37 AM 0 bytes Hidden from Windows API.
F:\$Extend\$ObjId 08/08/2004 10:37 AM 0 bytes Hidden from Windows API.
F:\$Extend\$Quota 08/08/2004 10:37 AM 0 bytes Hidden from Windows API.
F:\$Extend\$Reparse 08/08/2004 10:37 AM 0 bytes Hidden from Windows API.
F:\$LogFile 08/08/2004 10:37 AM 64.00 MB Hidden from Windows API.
F:\$MFT 08/08/2004 10:37 AM 157.56 MB Hidden from Windows API.
F:\$MFTMirr 08/08/2004 10:37 AM 4.00 KB Hidden from Windows API.
F:\$Secure 08/08/2004 10:37 AM 0 bytes Hidden from Windows API.
F:\$UpCase 08/08/2004 10:37 AM 128.00 KB Hidden from Windows API.
F:\$Volume 08/08/2004 10:37 AM 0 bytes Hidden from Windows API.
F:\Documents and Settings\Datana\Application Data\Azureus\tracker.config 23/02/2005 9:49 AM 14 bytes Visible in Windows API, directory index but not in MFT.
F:\Program Files\Internet\BOINC\client_state.xml 23/02/2005 9:46 AM 14.65 KB Hidden from Windows API.
InnocentBystander: netstat doesn't reveal anything out of the ordinary until whatever this is attempts to send out. At that point, the only indicators I get are an outgoing TCP connection on port 10111 and the AVG e-mail scanner firing up. If I hadn't instructed my firewall to log all attempts at sending e-mail, I wouldn't have even spotted this in the first place.
Posted: 2005-02-23 10:02pm
by Xon
Datana wrote:ggs: The RootkitReveal log is below. I don't see any strange files, but I don't recognize any of the HKLM Registry entries. I've done a relatively thorough search for anything out of the ordinary among visible entries in startup and services, and have found nothing that wasn't there before (excepting Adobe License Manager, which was added during the install of Reader 7.0).
That log doesnt have anything which looks wrong in it, beyond for "F:\Program Files\Internet\BOINC\client_state.xml" which a quick google looks to be part of a distributed computing project.
Might have been a file you deleted that is still on disk for some wierd reason.
Posted: 2005-02-23 10:57pm
by Datana
ggs wrote:That log doesnt have anything which looks wrong in it, beyond for "F:\Program Files\Internet\BOINC\client_state.xml" which a quick google looks to be part of a distributed computing project.
Might have been a file you deleted that is still on disk for some wierd reason.
Yep, that's pretty much exactly it. BOINC is the latest version of SETI@Home. It writes to the client_state.xml file every few minutes, so I guess that it was in the middle of a write or something when it got scanned. Log indicates that whatever this is made another two attempts at connecting out while I was out today, but has only a blank field for the program that tried it. AVG's log similarly doesn't list what attempted the connection. I have it pinned down for the moment by blacklisting the server it's trying to connect to in my hosts file, but this is still a matter of curiosity.