Infection immedately after plugging
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Infection immedately after plugging

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914

    Infection immedately after plugging

    Hey Hey

    Has anyone seen any problems with malware/virus infections immediately after plugging into their network?

    Symptoms:
    popups for lapublichealth.net (two additional sites that i don't have documented. I bleieve 1 is IP/loud or something along those lines.. wasn't here for those)
    javascript disabled


    I'm waiting to get my hands on a machine so I can look into it further... I've only heard second hand reports so far... but I do know that it's hit machines that are freshly ghosted and just plugged into the network.. so I'm not sure what it's causing.


    Anyone have any details?

    I'll post more info as I find it.


    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I've seen it happen almost that fast before. Best bet it to enable the built in firewall before connecting it to the network. Unpatched boxes don't last long where I work.

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I've seen it happen that fast. Had a system with blaster on it, it was taken offline and rebuilt. The administrator then put it back on the network to pull patches

    www.incidents.org (SANS) has a little tracker that estimates the survival time of an unpatched system on the internet. It has recently dropped down to 15 minutes...

    EDIT: As far as your question goes, it really just depends on your friends setup. Ie, windows box? Firewall? Services enabled? AV? etc.

    EDIT2: They are now saying 20 minutes at SANS, but you can see the historical numbers, it seems it has been going up a little

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Yup seen it with Blaster as well. One of the guys here that thinks he knows what he is doing plugged a box directly into our router, bypassing the firewall and everything else. He was infected before he could run win updates. Of course then he tried to conect it back up to the network and had me in his office pulling the plug in about .00002ns

    It was a box from home, and the only reason I didnt break his hands for doing this was he uses one of those hands to sign my paycheck :S

    In a couple of cases I have had friends get infected/reinfected because they burnt a "programs CD" on an infected system before they realized they were already toasted.

    Cheers!
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    interesting HT! ive seen infections spread that fast...thats the nature of the beast. but ive never seen an outbreak of pop-ups spread threw a network. do you mean the windows message (which im guessing it is) or browser type pop-ups?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I've seen viruses spread this fast also.... We've been dealing with the new variants of spybot, sdworm and that IRCBot that TH13 posted about.... However I've never seen popups out of this kinda of spread...

    I'm talking about web-based poppups.. If it was the messenger service.. I wouldnt' be as concerned, but these pop-ups browser windows that are opening out and loading websites...

    I'm not seeing any unusual stuff in HijackThis and Spyware, AdAware, SpySweeper, SwatIt and many AVs (including Norton, McAffee, AVG and eTrust) aren't noticing it or doing anything about it...

    It's got me quite amused and perplexed.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Sounds like you need to shut of the messenger service. unprotected winblows boxes will get these harassing messages almost instantly.

    Haven't seen any "infections" from this method of spamming but then I'm sure I haven't seen quite a bit of stuff.

    "A fool thinks himself to be wise, but a wise man knows himself to be a fool." -old Willy
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by KorpDeath
    Sounds like you need to shut of the messenger service. unprotected winblows boxes will get these harassing messages almost instantly.

    Haven't seen any "infections" from this method of spamming but then I'm sure I haven't seen quite a bit of stuff.

    "A fool thinks himself to be wise, but a wise man knows himself to be a fool." -old Willy
    Hey Hey,

    It's most definately not the messenger sevice.... If it was that... I wouldn't be nearly as concerned..

    NetBIOS is completely blocked on the network... and we can't net send... so that rules out messenger service.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  9. #9
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I'd stick a sniffer out on the network and see if another machine on the local network is infected with crap that is hitting your other machines.

    We've had machines get infected in less than 2 minutes on our networks.

    Without first hand knowledge on your part of what is actually happening(like you said..you've only had second hand reports) I don't think we can do anything other than guess at what the problem could be. :-/
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  10. #10
    Senior Member
    Join Date
    Jun 2004
    Posts
    281
    HT -

    Are their any vulnerable ports open on your router?

    I would also agree that these maybe coming from the inside. From other machines. I would slap ethereal on there an see where the packets are being sent from/originating/hopping from.

    - MilitantEidolon
    Yeah thats right........I said It!

    Ultimately everyone will have their own opinion--this is mine.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •