Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: does EarthLink do something funky?

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Question does EarthLink do something funky?

    Greetings,

    I'm trying to help my sister with her computer. She's on Earthlink, and recently I installed Symantec to clean out over 174 viruses. Needless to says, it's been 0wn3d so long, I can't believe it hasn't cratered yet.

    Ok, after Symantec, Spybot (v1.3), Stinger, and firewall additions... I've noticed wierd configurations with the IP information (handed via DHCP from the dial-up with E-link).

    Here's the IPCONFIG:
    PPP adapter EarthLink xxxxxxxxx@earthlink.net:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 209.179.190.140
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 209.179.190.140
    DNS Servers . . . . . . . . . . . : 207.69.188.187
    207.69.188.186
    NetBIOS over Tcpip. . . . . . . . : Disabled

    ...and the NETSTAT -AN is still extreamly *busy* but down to 1.5 pages in length (from over 10 prior to the removal of all the DoS viruses, worms, trojans, etc.) -- including a listener 8080 on the local 127.0.0.1 and over a dozen listeners on 0.0.0.0.

    Internet Explorer was configured to use a proxy: 127.0.0.1 8080.

    ???? Question is this: does E-link do anything wierd with their configs that would be attributed to this -- or is this just the last vestages of the myriad infestations? Their web site is, oh so, useful, but the DNS servers from the web are NOT the ones in the IPCONFIG, (but they still are e-link's...).

    Please don't make me call e-link tech support...

    Thanks, Cheers!
    Myk

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Have you looked with fport? That will tell you which application is listening on what port.

    You can find it here.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421

    Re: does EarthLink do something funky?

    ???? Question is this: does E-link do anything wierd with their configs that would be attributed to this -- or is this just the last vestages of the myriad infestations?
    Could be.

    You may want to consider backup data and killing the current OS and do a re-install.
    You may never know what baddies lurk.

    I have not known Earthlink to do use any strange proxy settings.
    I have many remote users on Earthlink and have not seen it.
    If you suspect Earthlink, you can simply setup a dialup profile and skip installing the
    Earthlink software.

    Good Luck

  4. #4
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    ===sorry ss2chef posted at the same time =====


    174 viruses! Dam! I have no experiance with earthlink! But if I were you I would just format your sisters box and reinstall the os! Those viruses, etc have probably done a number on it and it would probably just be a good idea to do so. Also it would take out the unknown viruses, spyware on the box. But yeah the ipconfig is funky! As far as the proxy..umm. 127.0.0.1 is the puters local ip, so that doesn't make since. You would be using your computer as a proxy which would getting you nowwhere but hopefully some of the pros here would help you!

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Re: does EarthLink do something funky?

    Originally posted here by ss2chef
    You may want to consider backup data and killing the current OS and do a re-install.
    You may never know what baddies lurk.
    I agree. There's no telling what they've changed. And as you said this has been going on for some time. They might have installed a rootkit that hides all their actions.

    It doesn't hurt to check it out though. You might learn something

    As far as the proxy..umm. 127.0.0.1 is the puters local ip, so that doesn't make since.
    You can install a proxy in your local machine and perform some sort of content-scanning to protect yourself from Evil webpages (Norton maybe?). But it could also be something totally nasty. As I said run fport and see what application is listening on 8080.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    ss2chef-- the data might be corrupted also.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885


    Free advice (and best practice): Get out the install CDs and save yourself weeks worth of diagnostics on this thing.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    you say earthlink is managing the link via DHCP, however DHCP is turned off.... also, if there are 1.5 pages AND something listening on port 8080, then it is most likely you havn't gotten rid of all the virii/spyware
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yeah, I looked at it too fast and didn't see the PPP connection type. It's a symptom of old age. Once I saw it, I realized it was a normal PPP connection.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Hehehe. I just noticed, you noticed
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •