Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: hacked??

  1. #1
    Junior Member
    Join Date
    Apr 2003
    Posts
    6

    Angry hacked??

    I think something is badly wrong with my computer's state of affairs... I found a .log file on my desktop with a Java stream that goes like this:

    An unexpected exception has been detected in native code outside the VM.
    Unexpected Signal : EXCEPTION_ACCESS_VIOLATION occurred at PC=0x6d3c7975
    Function name=ZIP_Open
    Library=C:\PROGRA~1\JavaSoft\JRE\133DB1~1.1_0\bin\zip.dll

    Current Java thread:
    at java.util.zip.ZipFile.getEntry(Native Method)
    at java.util.zip.ZipFile.getEntry(Unknown Source)
    at java.util.jar.JarFile.getEntry(Unknown Source)
    at sun.net.www.protocol.jar.URLJarFile.getEntry(Unknown Source)
    at java.util.jar.JarFile.getJarEntry(Unknown Source)
    at sun.misc.URLClassPath$JarLoader.getResource(Unknown Source)
    at sun.misc.URLClassPath.getResource(Unknown Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at sun.applet.AppletClassLoader.findClass(Unknown Source)
    at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.applet.AppletClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClassInternal(Unknown Source)
    at java.lang.Class.newInstance0(Native Method)
    at java.lang.Class.newInstance(Unknown Source)
    at sun.applet.AppletPanel.createApplet(Unknown Source)
    at sun.plugin.AppletViewer.createApplet(Unknown Source)
    at sun.applet.AppletPanel.runLoader(Unknown Source)
    at sun.applet.AppletPanel.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

    Does any1 speak Java? I dont like this Unknown source business, and that last command looks alot like a data dump(from webcrawler searches of the command)... BTW I just filed taxes yesterday and my hrblock password is changed, and the filing status was changed three times (notified via e-mail). Any help would be really appreciated, even an unsure explanation would be nice. I'm really freaked out by this.

    Also, I looked in event viewer, and the system time was being changed alot, followed several times with failed policy changes and startups of IPSec. Any significance on either count??

  2. #2
    Purveyor of Lather Syini666's Avatar
    Join Date
    Aug 2001
    Posts
    553
    Im no java expert, but based on what you have said about your email and system logs, something definately is up. First and foremost I would call H&R block by phone and explain to them that you think someone tampered with your filing to prevent them from filing the taxes and having it sent to someone else's account. It would probably be a good idea to stop doing anything sensitive on the computer untill you get everything sorted out. As for explaining what all that java was doing, I will leave that to a member with java experience, as i have about 0 experience with it.
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  3. #3
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    What operating system are you running?

    Is your antivirus software up to date?

    I would disconnect from the Internet and run a trojan / spyware detector like Ad Aware to see if you can detect anything.

    I am also not a Java expert so I can't comment on the code specifically, but I agree with Syini666 that based on the suspicious behavior you've noticed you seem to have been compromised and should watch what you do on the computer until you get it cleaned up.

  4. #4
    Junior Member
    Join Date
    Apr 2003
    Posts
    6
    I am running Windows XP home edition, and I dont have any antivirus software (yeah, stupid, I know... too late now). Even better is that I put my computer in my router firewall's DMZ to allow easier connection to online games... i just changed that and closed up all my open ports, and I'm trying to find a trojan hunter right now. Thanks for the advice so far, but hrblock has all gone home for the day(I did send the webmaster some warnings though, so the account should be locked up by tomorrow if I'm lucky)

  5. #5
    Junior Member
    Join Date
    Feb 2003
    Posts
    27
    Check security threads on printer/share options on XP settings on the site. I currently use sygate as a firewall. As for the Java language, I am unexperianced as of yet, but was wondering something maybe someone else can asnswer. This resembles Java plug-in ver. 1.3.1 06. Am I way off base. or did someone find a explot to it I dont know about?
    [shadow]Who cares if it works, I just want to know WHY![/shadow]

  6. #6
    Junior Member
    Join Date
    Apr 2003
    Posts
    6
    okay, I ran ad-aware and it turned up a few interesting little tidbits...
    BTW this is from the scan log


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Cydoor Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : software\cydoor


    Cydoor Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Cydoor


    Cydoor Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : software\cydoor services


    Alexa Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

    so I have some Alexa and some Cydoor... whatever those are (trojans??)

    plus ad-aware turned up a few other Cydoor-esque files:

    Cydoor Object recognized!
    Type : Folder
    Object : C:\WINDOWS\system32\AdCache



    Cydoor Object recognized!
    Type : File
    Data : cd_htm.dll
    Object : C:\WINDOWS\system32\
    FileSize : 41 KB
    FileVersion : 1, 0, 0, 1
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright (C) Cydoor Technologies, Inc. 1999-2001
    CompanyName : Cydoor Technologies, Inc.
    FileDescription : cd_htm module
    InternalName : cd_htm.dll
    OriginalFilename : cd_htm.DLL
    ProductName : cd_htm module
    Created on : 12/8/2002 5:52:10 AM
    Last accessed : 4/10/2003 2:25:20 AM
    Last modified : 8/22/2001 7:30:00 PM


    My question is: what the hell is Cydoor???

    Also, ad aware found alot of suspicious activity with mmc.exe and a bunch of stuff recognizable to my noobie eyes as server hos and client software.

    WTF???

  7. #7
    Junior Member
    Join Date
    Apr 2003
    Posts
    2
    Similar JAVA messages have popped up on my desktop twice so far. I happened to notice that they appeared right after updating to the latest JAVA console. BTW, Norton didn't even blink when it happened, and AdAware found and wiped out the usual stuff, nothing seemed to be related to JAVA.

  8. #8
    Junior Member
    Join Date
    Feb 2003
    Posts
    27
    and isn't cydoor a kazaalite dll? I am trying to think back, seems it is, could be wrong
    [shadow]Who cares if it works, I just want to know WHY![/shadow]

  9. #9
    Junior Member
    Join Date
    Feb 2003
    Posts
    21
    First off, the log file you have isn't anything to be worried about. It was produced by a java applet that was using ZipFile methods in a multithreaded program. ZipFile methods are not threadsafe since they are asynchronous and may not be excecuted at the appropriate time. It won't always happen, but the fact that ZipFile methods arent threadsafe CAN produce some unusual excepetion including the ACCESS_VIOLATION you have here. When encountering unhandled exceptions that causes the process to be terminated a stack trace is either printed to the command line or dumped into a log file under certain circumstances. The applet was probably imbedded in a website you visited. It would be a nice thing to do to find which site it was and send the admin an email. Whoever programmed the applet should me made aware. They may not bother ot fix it, but they should at least know that there is a problem. Don't bother reporting it to Sun they already know that this occurs, its in their bug archive although officially this isn't a bug.

  10. #10
    Junior Member
    Join Date
    Apr 2003
    Posts
    2
    scionzius,

    I'm not a Java expert, but I'm a programmer and it seems as though XP is trying to tell you that you need to get the security updates from MSN for Virtual Machine cause it looks like thats where the intruder slipped through.
    I would also go to this site (http://www.freedom.net/index.html) and run their ANTI-VIRUS every now and then. It's FREE!!! but, you do have to download a little primer program to get started. If you have any information you don't want them to read then encrypt it, because the A.V. runs from the internet and so it doesn't install completely onto your system.
    I have used them in the past and it is great for those viruses that tend to target only certain anti-virus programs and get into your computer. In other words, some viruses are designed to destroy anti-virus programs before entering into your memory.
    JAY-SUN

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •