-
July 28th, 2004, 03:00 PM
#1
does EarthLink do something funky?
Greetings,
I'm trying to help my sister with her computer. She's on Earthlink, and recently I installed Symantec to clean out over 174 viruses. Needless to says, it's been 0wn3d so long, I can't believe it hasn't cratered yet.
Ok, after Symantec, Spybot (v1.3), Stinger, and firewall additions... I've noticed wierd configurations with the IP information (handed via DHCP from the dial-up with E-link).
Here's the IPCONFIG:
PPP adapter EarthLink xxxxxxxxx@earthlink.net:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 209.179.190.140
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 209.179.190.140
DNS Servers . . . . . . . . . . . : 207.69.188.187
207.69.188.186
NetBIOS over Tcpip. . . . . . . . : Disabled
...and the NETSTAT -AN is still extreamly *busy* but down to 1.5 pages in length (from over 10 prior to the removal of all the DoS viruses, worms, trojans, etc.) -- including a listener 8080 on the local 127.0.0.1 and over a dozen listeners on 0.0.0.0.
Internet Explorer was configured to use a proxy: 127.0.0.1 8080.
???? Question is this: does E-link do anything wierd with their configs that would be attributed to this -- or is this just the last vestages of the myriad infestations? Their web site is, oh so, useful, but the DNS servers from the web are NOT the ones in the IPCONFIG, (but they still are e-link's...).
Please don't make me call e-link tech support...
Thanks, Cheers!
Myk
-
July 28th, 2004, 03:29 PM
#2
Have you looked with fport? That will tell you which application is listening on what port.
You can find it here.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 28th, 2004, 03:32 PM
#3
Re: does EarthLink do something funky?
???? Question is this: does E-link do anything wierd with their configs that would be attributed to this -- or is this just the last vestages of the myriad infestations?
Could be.
You may want to consider backup data and killing the current OS and do a re-install.
You may never know what baddies lurk.
I have not known Earthlink to do use any strange proxy settings.
I have many remote users on Earthlink and have not seen it.
If you suspect Earthlink, you can simply setup a dialup profile and skip installing the
Earthlink software.
Good Luck
-
July 28th, 2004, 03:35 PM
#4
===sorry ss2chef posted at the same time =====
174 viruses! Dam! I have no experiance with earthlink! But if I were you I would just format your sisters box and reinstall the os! Those viruses, etc have probably done a number on it and it would probably just be a good idea to do so. Also it would take out the unknown viruses, spyware on the box. But yeah the ipconfig is funky! As far as the proxy..umm. 127.0.0.1 is the puters local ip, so that doesn't make since. You would be using your computer as a proxy which would getting you nowwhere but hopefully some of the pros here would help you!
-
July 28th, 2004, 03:37 PM
#5
Re: Re: does EarthLink do something funky?
Originally posted here by ss2chef
You may want to consider backup data and killing the current OS and do a re-install.
You may never know what baddies lurk.
I agree. There's no telling what they've changed. And as you said this has been going on for some time. They might have installed a rootkit that hides all their actions.
It doesn't hurt to check it out though. You might learn something
As far as the proxy..umm. 127.0.0.1 is the puters local ip, so that doesn't make since.
You can install a proxy in your local machine and perform some sort of content-scanning to protect yourself from Evil webpages (Norton maybe?). But it could also be something totally nasty. As I said run fport and see what application is listening on 8080.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 28th, 2004, 03:38 PM
#6
ss2chef-- the data might be corrupted also.
-
July 28th, 2004, 03:41 PM
#7
Free advice (and best practice): Get out the install CDs and save yourself weeks worth of diagnostics on this thing.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 28th, 2004, 03:48 PM
#8
you say earthlink is managing the link via DHCP, however DHCP is turned off.... also, if there are 1.5 pages AND something listening on port 8080, then it is most likely you havn't gotten rid of all the virii/spyware
[gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM
-
July 28th, 2004, 03:48 PM
#9
Yeah, I looked at it too fast and didn't see the PPP connection type. It's a symptom of old age. Once I saw it, I realized it was a normal PPP connection.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 28th, 2004, 03:49 PM
#10
Hehehe. I just noticed, you noticed
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|