Me was infected
Results 1 to 8 of 8

Thread: Me was infected

  1. #1
    Member
    Join Date
    Feb 2002
    Posts
    99

    Angry Me was infected

    After wondering what the hell my computer was so sluggish for I found out I had a trojan that my one of my sisters probably carelessly downloaded (I keep telling the rents they dont need admin status). Anyways, I was infected with a pretty advanced backdoor, I could not find it through your normal netstat, and checking the system files and whatnot. Heres a read if anybody is interested.

    http://de.mcafee.com/root/genericVIL...virus_k=100252

    I have a bunch of IP's, but they're all from China, Korea, and other places that notifying the ISP is futile, so I have an idea.

    Is there anyway I could use netcat (under my watchful eye) to send a line of **** to them when they attempt to connect? I'm sitting here watching about 14 different IP's attempting to connect to me, so I'm sure I'd get my message across. My skills with netcat are pretty limited, anybody have any idea how I could have some fun with these punks (legally).

  2. #2
    AO bergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Sure can...
    Ted0b1 showed that in his tutorial here . There are a lot of other useful tricks in his netcat tutorials... look at the tutorial index for the rest of them.
    As a port blocker:

    If you have port 139 open (or any other port associated with a service) you can block file sharing and instead send a message to anyone connecting:
    NC L s xxx.xxx.xxx.xxx p 139 e warning.bat

    Warning.bat:
    @echo off
    call netstat -n
    echo Now get the hell out of here lamer!
    Call netstat n >>nclog.txt

    When someone telnets to your 139 they will see a record of their connection and someone telling them to beat it, plus you keep a record in a text file and their connection is closed when the batch file (or other executable) finishes.

    To do this and catch the data before netbios gets it, you must anchor nc to this interface on that port. This is done with the -s and p options, which in this case would be the ip assigned to this connection (interface) and p 139. If netbios was not enabled the s option would not be necessary unless you had 2 interfaces (multi-homed)

    Even more aggressive strategies can be used on say, well known Trojan ports. Its up to your imagination and the law.
    Thats not going to do you much good if you haven't uninstalled that trojan... it has keylogging capabilities....
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Banned
    Join Date
    May 2003
    Posts
    21
    here's a little "look-&-see"

    1. if anyone "trojaned"/"backdoored" you they would pbbly have the server ask for a pswd (unless the lamer shared it w/ his friends. all 14 of them?? that's unlikely

    2. therefore... check your computer for more maleware....14 connection???? hmmm...

    3. check the outgoing and incomming ports.. are you sure they are INcommming and not OUTgoing

    4. what are the socket #'s ... are they all the same

    5. check all the IP's for running IRC server


    I think you'd have some kind of IRC eggdrop bot running somwhere... you know... like DDOS zombie, but that's all just assumptions... let us see the IP's and port #'s

  4. #4
    Banned
    Join Date
    Feb 2003
    Posts
    106
    at www.blackcode.com there is a firewall called killerwall and you can have it send a text message or a syn flood(very naughty so don't) to someone when they try to connect on a specified port , it also has a lot of good monitoring info(hidden windows,ports , packets.......)

  5. #5
    Member
    Join Date
    Feb 2002
    Posts
    99
    Ok, heres what my trojaned computer is being used for.

    Disclaimer, I would take something like this seriously, and delete it at first knowledge. My parents are hardheaded and stupid when it comes to the internet and anything PC realated. Ex. mother thinks I'm hacking when I open a dos prompt and type netstat. . Oh well, its not my computer, therefore I cant MAKE them backup there files so I can format this POS and start over from scratch. However, this will make you all say WTF, and maybe even open their eyes as to the seriousness of this.

    Remote impacts.
    -A proxy for portscans to other systems.
    -A password cracker (only reason I say this is because my page file usage and CPU usage is VERY high, could be wrong)
    -A web proxy
    -FTP server ( I have yet to find the directories)
    -People are telnetting in and out.
    -Been sending massive amounts of SYN, ACK, and ICMP packets to 3 different hosts, most likely a DDOS.
    -SMB requests going all over the internet.
    -sending messenger popups

    and thats just what I've figured so far.

    Local impacts.
    -They've deleted local files including Norton AV, AOL (cant blame them), Fport, my installation of Nmap, My firewall (reinstalled in vain), etc.
    -They're connecting to my fathers buisiness use only computer on our home network. I believe it uses a VPN to connect to the corporate network. You get the point.
    -My mother uses THIS computer to log into a certain universitys FTP and web servers.
    -Trojan has a keylogger

    I know this is bad, and needs to be remidied ASAP, but I would be on the street if I went against their word on this one.

    Oh well, I think I have a big I told you so coming.

  6. #6
    Junior Member
    Join Date
    Apr 2003
    Posts
    3
    Hmmmm.. sounds very similar to mine....

  7. #7
    Member
    Join Date
    Feb 2002
    Posts
    99
    Hmmmm.. sounds very similar to mine....
    Meaning you wrote the trojan? or you have a similar type of problem on your box?

  8. #8
    Junior Member
    Join Date
    Apr 2003
    Posts
    3
    Oh God don't...that's how rumors get started lolol...actually I just read your reference to the high pagefile, and I went off to look it up. What the machine I was working on had was the God Damned BackDoor-G. Yes, I renamed it that. Its Sounds better. Anyway, I'm still workin' on yours. Miah

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •