Results 1 to 4 of 4

Thread: Has this computer been compromised?

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    136

    Has this computer been compromised?

    I have a friend who came to me with a question. He feels his puter may be compromised. I did a google and a SamSpade. The Traceroute looked strange to me.

    I'm posting the info he sent me. If you see something obvious that I don't, please feel free to speak up. We all know I'm no expert. LOL

    I knew I could ask my friends here at AO.

    Thanks in advance.

    PS. Hogfly, is your gas better?

    Anyway, here's what he says....

    ---------------------------------------------------

    At work I have a small network. 4 computers including a server.

    My secretary is on vacation this week and I am the only one there.

    While I wasn't on the net, I noticed the data light on the cable modem on the server flashing. (server is running nt4.0 with ZAP Pro and Wingate for inet access through cable modem)

    I do a netstat on my puter. Everything is fine. I check my hub. Nothing on the network is transmitting over the network.

    So I log on to server. (Nobody uses it and it is usually logged off so the only things that should be running are services)

    I do a netstat -a and there are a couple of connection to Romania. Wingate is only showing a connection to my 'puter. Still no network activity.

    info.....

    server:nbsession (I assume netbui) 205.246.203.43:80
    server:2385 varzarv2.kappa.ro:8080
    server:3661 67dial105.xnet.ro:8080

    and connections to

    194.105.24.221:8080:8080/talk.htm
    213.233.67.105:8080:8080/talk.htm

    Actually I think the last 2 were showing in wingate.

    A probe of my system at grc shows I am cool.

    ------------------------------------------------------------------

    Thanks again, folks.
    KapperDog

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    115
    no, you have not been hacked

  3. #3
    Well, going to http://194.105.24.221:8080 takes you to a page with a message to go to ifriends.net. That domain is registered to Intimate Friends Network out of Florida. www.ifriends.net is an online video chat site, where if you have a web cam, you can chat about cars, computers, gardening.... and yes, Adult Chat.

    But the thing your friend really needs to look out for is that there is a virus that does make a connection to kappa.ro. I remember reading a virus warning a couple weeks ago that said one of the things the virus did was set up a connection to that domain. I remember that specifically because I went to the home page for the domain, just to see what it looked like.
    And just now, I went to kappa.ro and I remembered that I had seen that home page before, and it was due to a virus warning.
    Now, I can't remember WHAT virus it is that does this, but I am sure of it.
    Have your friend do a full virus scan.

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    136
    Did you know that there was a soccer shoe called the kappa virus...retail, about 125 bucks. LMAO Sometimes, Google just doesn't give the answers you want. LOL

    I didn't find anything about the virus at McAfee of Symantec either but, I'll suggest a full scan to my friend.

    I thought maybe spyware but, he said his ZoneAlarm is secure and working properly. He also said GRC gave him a clean bill of health.

    I also thought someone might be "bouncing" (is that the right term?) off his server. Using it for their own little private proxy server.

    Anyone else?

    Thanks again,
    KapperDog

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •