Me was infected

Printable View

May 23rd, 2003, 11:47 PM
Jonesy69

Me was infected

After wondering what the hell my computer was so sluggish for I found out I had a trojan that my one of my sisters probably carelessly downloaded (I keep telling the rents they dont need admin status). Anyways, I was infected with a pretty advanced backdoor, I could not find it through your normal netstat, and checking the system files and whatnot. Heres a read if anybody is interested.

http://de.mcafee.com/root/genericVIL...virus_k=100252

I have a bunch of IP's, but they're all from China, Korea, and other places that notifying the ISP is futile, so I have an idea.

Is there anyway I could use netcat (under my watchful eye) to send a line of **** to them when they attempt to connect? I'm sitting here watching about 14 different IP's attempting to connect to me, so I'm sure I'd get my message across. My skills with netcat are pretty limited, anybody have any idea how I could have some fun with these punks (legally). :D
May 24th, 2003, 12:02 AM
phishphreek

Sure can...
Ted0b1 showed that in his tutorial here . There are a lot of other useful tricks in his netcat tutorials... look at the tutorial index for the rest of them.

Quote:

As a port blocker:

If you have port 139 open (or any other port associated with a service) you can block file sharing and instead send a message to anyone connecting:
NC –L –s xxx.xxx.xxx.xxx –p 139 –e warning.bat

Warning.bat:
@echo off
call netstat -n
echo Now get the hell out of here lamer!
Call netstat –n >>nclog.txt

When someone telnets to your 139 they will see a record of their connection and someone telling them to beat it, plus you keep a record in a text file and their connection is closed when the batch file (or other executable) finishes.

To do this and catch the data before netbios gets it, you must anchor nc to this interface on that port. This is done with the ‘-s’ and ‘–p’ options, which in this case would be the ip assigned to this connection (interface) and –p 139. If netbios was not enabled the –s option would not be necessary unless you had 2 interfaces (multi-homed)

Even more aggressive strategies can be used on say, well known Trojan ports. Its up to your imagination and the law.

Thats not going to do you much good if you haven't uninstalled that trojan... it has keylogging capabilities....
May 24th, 2003, 02:40 AM
kombinant

here's a little "look-&-see"

1. if anyone "trojaned"/"backdoored" you they would pbbly have the server ask for a pswd (unless the lamer shared it w/ his friends. all 14 of them?? that's unlikely

2. therefore... check your computer for more maleware....14 connection???? hmmm...

3. check the outgoing and incomming ports.. are you sure they are INcommming and not OUTgoing

4. what are the socket #'s ... are they all the same

5. check all the IP's for running IRC server

I think you'd have some kind of IRC eggdrop bot running somwhere... you know... like DDOS zombie, but that's all just assumptions... let us see the IP's and port #'s
May 24th, 2003, 04:11 AM
bugsthecat

at www.blackcode.com there is a firewall called killerwall and you can have it send a text message or a syn flood(very naughty so don't) to someone when they try to connect on a specified port , it also has a lot of good monitoring info(hidden windows,ports , packets.......)
May 25th, 2003, 06:24 PM
Jonesy69

Ok, heres what my trojaned computer is being used for.

Disclaimer, I would take something like this seriously, and delete it at first knowledge. My parents are hardheaded and stupid when it comes to the internet and anything PC realated. Ex. mother thinks I'm hacking when I open a dos prompt and type netstat. :rolleyes:. Oh well, its not my computer, therefore I cant MAKE them backup there files so I can format this POS and start over from scratch. However, this will make you all say WTF, and maybe even open their eyes as to the seriousness of this.

Remote impacts.
-A proxy for portscans to other systems.
-A password cracker (only reason I say this is because my page file usage and CPU usage is VERY high, could be wrong)
-A web proxy
-FTP server ( I have yet to find the directories)
-People are telnetting in and out.
-Been sending massive amounts of SYN, ACK, and ICMP packets to 3 different hosts, most likely a DDOS.
-SMB requests going all over the internet.
-sending messenger popups

and thats just what I've figured so far.

Local impacts.
-They've deleted local files including Norton AV, AOL (cant blame them), Fport, my installation of Nmap, My firewall (reinstalled in vain), etc.
-They're connecting to my fathers buisiness use only computer on our home network. I believe it uses a VPN to connect to the corporate network. You get the point.
-My mother uses THIS computer to log into a certain universitys FTP and web servers.
-Trojan has a keylogger

I know this is bad, and needs to be remidied ASAP, but I would be on the street if I went against their word on this one.

Oh well, I think I have a big I told you so coming. :D
May 26th, 2003, 04:43 PM
trophygirl

Hmmmm.. sounds very similar to mine....
May 26th, 2003, 09:38 PM
Jonesy69

Quote:

Hmmmm.. sounds very similar to mine....

Meaning you wrote the trojan? or you have a similar type of problem on your box? :)
May 27th, 2003, 05:26 PM
trophygirl

Oh God don't...that's how rumors get started lolol...actually I just read your reference to the high pagefile, and I went off to look it up. What the machine I was working on had was the God Damned BackDoor-G. Yes, I renamed it that. Its Sounds better. Anyway, I'm still workin' on yours. Miah