Beware, Hacked!
27 December 2000, 07:23 AM
#2
Scooby Regular
Join Date: Aug 1999
Posts: 2,232
Likes: 0
Received 0 Likes
on
0 Posts
Yesterday myself, RonaldoH, SecretAgentMan, someone known as "Silent Bob" and someone known as "Spiderman" were in ScoobyChat.
I understand that Spiderman started PM'ing Ronnie talking to him in hacker terminology.
Quite soon thereafter Ronnie received a zone alert message and immediately instructed the rest of us to go and dowload this software.
Good job i did because i later received this alert
Zone Alarm Software message
The firewall has blocked Internet access to your computer (TCP Port 27374) from 172.161.59.103 (TCP Port 2254)
Time 12/26/00 22:37:34
Lee Christie tells me this is the sub seven Trojan.
Is it possible only to allow established users who have previously posted on the BBS to be allowed into Chat rather than people who seem to lurk in there that are unkown to the Scooby regulars?
Sunil
[This message has been edited by sunilp (edited 27 December 2000).]
I understand that Spiderman started PM'ing Ronnie talking to him in hacker terminology.
Quite soon thereafter Ronnie received a zone alert message and immediately instructed the rest of us to go and dowload this software.
Good job i did because i later received this alert
Zone Alarm Software message
The firewall has blocked Internet access to your computer (TCP Port 27374) from 172.161.59.103 (TCP Port 2254)
Time 12/26/00 22:37:34
Lee Christie tells me this is the sub seven Trojan.
Is it possible only to allow established users who have previously posted on the BBS to be allowed into Chat rather than people who seem to lurk in there that are unkown to the Scooby regulars?
Sunil
[This message has been edited by sunilp (edited 27 December 2000).]
27 December 2000, 08:11 AM
#3
Scooby Regular
Join Date: Jul 1999
Posts: 711
Likes: 0
Received 0 Likes
on
0 Posts
Sunil ..
I use Norton personal firewall 2001 and received 3 of these "trojan" warnings over the last 3 or 4 days ... not sure if the software is "miss-firing" but now it seems you have had them as well ?? I've just done a quick trace with Neotrace and it seems there is no response ... but the last hop is AOL.com ?
Seems these firewalls are a must ....
K
I use Norton personal firewall 2001 and received 3 of these "trojan" warnings over the last 3 or 4 days ... not sure if the software is "miss-firing" but now it seems you have had them as well ?? I've just done a quick trace with Neotrace and it seems there is no response ... but the last hop is AOL.com ?
Seems these firewalls are a must ....
K
27 December 2000, 09:04 AM
#4
Scooby Regular
Join Date: Jan 2000
Posts: 1,999
Likes: 0
Received 0 Likes
on
0 Posts
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by sunilp:
<B>
immediately instructed the rest of us to go and dowload this software.
[/quote]
what software?
<B>
immediately instructed the rest of us to go and dowload this software.
[/quote]
what software?
27 December 2000, 11:14 AM
#6
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Cheers Sunil
Just to backup what Theo has said, as this is part of my line of work. I would recommend having some form of personal firewall regardless of the type of connection (analogue / ISDN / xDSL etc) you have (and get yourself subscribed to a decent anti-virus program and set it to do regular updates (at least twice a month)).
There are too many idiots out there with a little bit of knowledge who are prepared to launch these things without any care for the problems they cause. Zonealarm is great, it's non-intrusive, won't cause your connection to slow down and it's free with automated downloads - so there is no excuse for not using it.
Cheers
Chris
Just to backup what Theo has said, as this is part of my line of work. I would recommend having some form of personal firewall regardless of the type of connection (analogue / ISDN / xDSL etc) you have (and get yourself subscribed to a decent anti-virus program and set it to do regular updates (at least twice a month)).
There are too many idiots out there with a little bit of knowledge who are prepared to launch these things without any care for the problems they cause. Zonealarm is great, it's non-intrusive, won't cause your connection to slow down and it's free with automated downloads - so there is no excuse for not using it.
Cheers
Chris
27 December 2000, 01:37 PM
#7
Scooby Regular
I run Norton Personal Firewall and recieve alerts about the Sub Seven Trojan several times a day. I think (note think, don't actually know) that this being generated by some software within windows itself, but I may be wrong. I also get regular intercepts on the Deep Throat Trojan and the Back Orifice 2000 Trojan. Friends who also run Norton PF also pick these up on a daily basis.
Norton PF lists thousands of trojans and hack methods that it knows and can intercept yet it only reports catching these three. As I said I think they are caused by my own PC's software rather than malicious hacks.
But then of course I could be wrong.....
Norton PF lists thousands of trojans and hack methods that it knows and can intercept yet it only reports catching these three. As I said I think they are caused by my own PC's software rather than malicious hacks.
But then of course I could be wrong.....
Trending Topics
27 December 2000, 02:03 PM
#8
Scooby Regular
Join Date: Jul 1999
Posts: 711
Likes: 0
Received 0 Likes
on
0 Posts
That's interesting Simon ..
Zonealarm doesn't give any warning at all of the trojan, which now makes me wonder if it's an error with NPF or down to it's setup ?
I do think they are a must though, never go on the web without it, it's surprising how some sites must have scripts embedded that run when you visit, zonealarm blocks 'em all ( or tells you it has ? ).
K
Zonealarm doesn't give any warning at all of the trojan, which now makes me wonder if it's an error with NPF or down to it's setup ?
I do think they are a must though, never go on the web without it, it's surprising how some sites must have scripts embedded that run when you visit, zonealarm blocks 'em all ( or tells you it has ? ).
K
27 December 2000, 05:34 PM
#10
Scooby Regular
Join Date: Aug 1999
Posts: 2,232
Likes: 0
Received 0 Likes
on
0 Posts
The firewall has blocked Internet access to your computer (ICMP Echo Request ('Ping')) from 62.252.90.104.
Time: 12/27/00 17:45:38
---------------------------------------------
What does this mean......arrrrrgghhhhhhh
Time: 12/27/00 17:45:38
---------------------------------------------
What does this mean......arrrrrgghhhhhhh
27 December 2000, 06:00 PM
#12
Scooby Regular
Join Date: Jan 1999
Posts: 525
Likes: 0
Received 0 Likes
on
0 Posts
It means someone has tried to ping your computer to see if it gets a response. Kind of like phoning a number to see if someone is home. If your computer responds then they (could be automated) know your machine is worth attacking.
Incidentally a lot of reports you get from personal firewalls are indeed generated by your own machine, and sound malicious when they may be just a DNS query. Still, better to be protected and paranoid than just vulnerable I suppose. They are certainly a must for anyone running an always on connection such as ADSL or a leased line.
You can also go to
Incidentally a lot of reports you get from personal firewalls are indeed generated by your own machine, and sound malicious when they may be just a DNS query. Still, better to be protected and paranoid than just vulnerable I suppose. They are certainly a must for anyone running an always on connection such as ADSL or a leased line.
You can also go to
27 December 2000, 07:06 PM
#13
Scooby Regular
Join Date: Sep 2000
Location: Notts, UK
Posts: 4,935
Likes: 0
Received 0 Likes
on
0 Posts
Thanks Guys,
Lost the PC to a trojan about the same time as MrCookie. Now have McAfee Internet protection suite installed.
I used to run Intruder Alert 99 but have just installed the ZoneAlarm software and it looks very good.
Lee
Lost the PC to a trojan about the same time as MrCookie. Now have McAfee Internet protection suite installed.
I used to run Intruder Alert 99 but have just installed the ZoneAlarm software and it looks very good.
Lee
27 December 2000, 07:25 PM
#14
Scooby Regular
Join Date: Dec 2000
Location: A land of lap-dancers and Lanson Black Label
Posts: 9,400
Likes: 0
Received 0 Likes
on
0 Posts
Right guys I'm sh***ing myself now cos I will get a serious bo**ocking if I down load a virus from Scoobynet I know three fifths of bugger all about this so will someone please explain how I can safe guard my PC ( I slept through 80% of my degree course and the other 20% I was sciving on rallies )I think my late father installed McCaffee but not sure entirely. Please help or I will have to resort to leaving Scoobynet and everything else online alone.....
Could this be a cue for taking subscriptions from us ie a fiver a month to keep those who arent genuine away?
Rich
Could this be a cue for taking subscriptions from us ie a fiver a month to keep those who arent genuine away?
Rich
27 December 2000, 07:25 PM
#15
Scooby Regular
Join Date: Dec 2000
Posts: 302
Likes: 0
Received 0 Likes
on
0 Posts
Bear in mind that stuff like SubSeven, BackOrifice etc. are trojan virii that will make your computer vulnerable to the outside world *only if* they have managed to infect you.
The most common way for a hacker to break in to your computer with these methods is to scan a range of addresses and find vulnerable ones, hence you getting a lot of seemingly false warnings. Your computer is part of that sweep but is itself not being directly targetted, unless it is found to be vulnerable (ie. you're infected).
Your virus scanner should be able to tell if you're infected or not and if you're not, these sweep-type attacks are not a problem.
Having said that, a firewall is a good idea. It will certainly be very active and display lots of things that look like problems but the knowledge is better than the blissful ignorance. The best course of action is to silently report the prolonged attacking address as Andy suggests.
*Don't* use the firewall as a mechanism to find addresses and 'hack' (even just ping)them back as this simply draws attention to your computer which would otherwise have been passed by.
Hope this helps.
Andy, that sounds like quite a setup
The most common way for a hacker to break in to your computer with these methods is to scan a range of addresses and find vulnerable ones, hence you getting a lot of seemingly false warnings. Your computer is part of that sweep but is itself not being directly targetted, unless it is found to be vulnerable (ie. you're infected).
Your virus scanner should be able to tell if you're infected or not and if you're not, these sweep-type attacks are not a problem.
Having said that, a firewall is a good idea. It will certainly be very active and display lots of things that look like problems but the knowledge is better than the blissful ignorance. The best course of action is to silently report the prolonged attacking address as Andy suggests.
*Don't* use the firewall as a mechanism to find addresses and 'hack' (even just ping)them back as this simply draws attention to your computer which would otherwise have been passed by.
Hope this helps.
Andy, that sounds like quite a setup
27 December 2000, 07:35 PM
#16
Scooby Regular
Join Date: Dec 2000
Posts: 302
Likes: 0
Received 0 Likes
on
0 Posts
Richard, you're fairly safe. This attack was a probe by someone to check if a computer was vulnerable or not. The virus and itself didn't come from Scoobynet and is very (read extremely) unlikely for this to ever not to be the case.
If you're incredibly paranoid, dont use ScoobyChat as this will make sure that no-one else is able to find out which ISP you're using and thus scan that range of addresses. The BBS will be fine (anyone: it does display IPs right?)
If you're incredibly paranoid, dont use ScoobyChat as this will make sure that no-one else is able to find out which ISP you're using and thus scan that range of addresses. The BBS will be fine (anyone: it does display IPs right?)
27 December 2000, 09:57 PM
#19
Scooby Regular
Join Date: May 2000
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
Ian, just tried it to check and only certain authorised users can get hold of the IP (you'd be surprised how many BBS systems aren't set up like that!).
As has been said before: its a good idea to get one of the personal firewalls.
Most of these scans come from 'script kiddies' ie peope who just download tools off the net and try to wreak havoc with them: most have no knowledge of how the things work at all and are unlikely to bypass a firewall.
Being on _any_ interactive chat system, tells other people who are present that you are on-line and therefore have an IP address that's worth a look - so be aware of this!
Also, make sure you have a registered copy of a virus checker with virus updates scheduled for download regularly - this should protect you from any trojans designed to open up your machine.
Do remember, that a Firewall/Virus checker are only any use if they are turned ON!!
As has been said before: its a good idea to get one of the personal firewalls.
Most of these scans come from 'script kiddies' ie peope who just download tools off the net and try to wreak havoc with them: most have no knowledge of how the things work at all and are unlikely to bypass a firewall.
Being on _any_ interactive chat system, tells other people who are present that you are on-line and therefore have an IP address that's worth a look - so be aware of this!
Also, make sure you have a registered copy of a virus checker with virus updates scheduled for download regularly - this should protect you from any trojans designed to open up your machine.
Do remember, that a Firewall/Virus checker are only any use if they are turned ON!!
27 December 2000, 10:27 PM
#20
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by Kev:
<B>I use Norton personal firewall 2001 and received 3 of these "trojan" warnings over the last 3 or 4 days ...[/quote]
Kev,
are these incoming or outgoing warnings from NPF?
If the Event Log, under the Connections tab shows a "Local" entry to "yourhost: Backdoor-g-1" then it could simply be an _outgoing_ HTTP connection (which happened to use port 1243 or similar).
Incoming (and thus blocked by the NPF) would only be a problem _if_ you had a Trojan on your machine listening on the port - but NAV or similar would (hopefully) pick up such a program. The golden rule is NEVER run an EXE (or any other executable file) unless you absolutely trust the source. I think that NPF will "stealth" these ports, so a hacker would not know for sure that you were on the Internet and should not come back.
As for the source of these incoming probes - they most probably come from another "hacked" PC, to hide the identity of the true "dead cow"! Thus tracing the IP may not help.
To find out more about Trojans,
<B>I use Norton personal firewall 2001 and received 3 of these "trojan" warnings over the last 3 or 4 days ...[/quote]
Kev,
are these incoming or outgoing warnings from NPF?
If the Event Log, under the Connections tab shows a "Local" entry to "yourhost: Backdoor-g-1" then it could simply be an _outgoing_ HTTP connection (which happened to use port 1243 or similar).
Incoming (and thus blocked by the NPF) would only be a problem _if_ you had a Trojan on your machine listening on the port - but NAV or similar would (hopefully) pick up such a program. The golden rule is NEVER run an EXE (or any other executable file) unless you absolutely trust the source. I think that NPF will "stealth" these ports, so a hacker would not know for sure that you were on the Internet and should not come back.
As for the source of these incoming probes - they most probably come from another "hacked" PC, to hide the identity of the true "dead cow"! Thus tracing the IP may not help.
To find out more about Trojans,
28 December 2000, 08:45 AM
#21
Scooby Regular
Join Date: Jul 1999
Posts: 711
Likes: 0
Received 0 Likes
on
0 Posts
Cheers for that Martin ...
Top link ....
It's incoming which is why I was a tad concerned, did a port check last night and they are all "stealthed" so I know it's working fine .... or at least thats the plan ..
Had a word with one of these techies here at work and he confirmed what's already been said, it's usually kids with software that pings whole ip address ranges on a network ... most of 'em don't even know the purpose and there is no "real" threat as they don't know how to interperate the results .... home users are "reasonably" safe but businesses should have a defence ...
K
Top link ....
It's incoming which is why I was a tad concerned, did a port check last night and they are all "stealthed" so I know it's working fine .... or at least thats the plan ..
Had a word with one of these techies here at work and he confirmed what's already been said, it's usually kids with software that pings whole ip address ranges on a network ... most of 'em don't even know the purpose and there is no "real" threat as they don't know how to interperate the results .... home users are "reasonably" safe but businesses should have a defence ...
K
28 December 2000, 03:29 PM
#22
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Richard - IP = Internet Protocol, often seen as IP address, i.e 212.34.243.54. If you download Zone Alarm as stated elsewhere in this thread, this will give you a good level of protection and get yourself an up to date anti-virus package, such as Norton or McAfee. ZoneAlarm's installation is pretty much automatic, so it should'nt be too difficult to get it up and running.
If you want some background info on IP, security, firewalls etc, check out
If you want some background info on IP, security, firewalls etc, check out
28 December 2000, 05:33 PM
#24
Scooby Regular
Join Date: May 1999
Posts: 409
Likes: 0
Received 0 Likes
on
0 Posts
If anyone wants me to do a port scan for them e-mail me off line with your IP address and i'll tell you which ports are open on your system
Zone Alarm is cool because it also Rejects ICMP packets so that pings are 'absorbed' making the computer seem offline.
If you are using Linux you can use the IPCHAINS to achieve the same thus :-
ipchains -A input -s YOURIPADDRESS -p ICMP -j REJECT
Use your IP address instead of YOURIPADDRESS.
Gethin.
[This message has been edited by Gethin (edited 28 December 2000).]
[This message has been edited by Gethin (edited 28 December 2000).]
Zone Alarm is cool because it also Rejects ICMP packets so that pings are 'absorbed' making the computer seem offline.
If you are using Linux you can use the IPCHAINS to achieve the same thus :-
ipchains -A input -s YOURIPADDRESS -p ICMP -j REJECT
Use your IP address instead of YOURIPADDRESS.
Gethin.
[This message has been edited by Gethin (edited 28 December 2000).]
[This message has been edited by Gethin (edited 28 December 2000).]
28 December 2000, 06:33 PM
#26
Scooby Senior
Hi
I'm up to date with my AV stuff. I looked at a Firewall a few months back & tried McAfee Personal Firewall. It sucessfully stopped me from doing ANYTHING (incl Email, surfing) on the Internet, so I uninstalled it.
I use Internet Connection Sharing & have since found that some firewalls do not support this.
Any recomendations what I should get please?
I'm up to date with my AV stuff. I looked at a Firewall a few months back & tried McAfee Personal Firewall. It sucessfully stopped me from doing ANYTHING (incl Email, surfing) on the Internet, so I uninstalled it.
I use Internet Connection Sharing & have since found that some firewalls do not support this.
Any recomendations what I should get please?
28 December 2000, 07:11 PM
#27
Scooby Regular
Join Date: May 2000
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
ian
the message you got is because the link has an extra period ie "grc.com."
the certificate is for "grc.com" and therefore they don't match.
you've just proved your certificate checking is working correctly!!
remove the extra period from the url and it will be accepted fine.
the message you got is because the link has an extra period ie "grc.com."
the certificate is for "grc.com" and therefore they don't match.
you've just proved your certificate checking is working correctly!!
remove the extra period from the url and it will be accepted fine.
28 December 2000, 09:24 PM
#29
Scooby Regular
Sometit
Paranoia hat off - I have been running Zonealarm for some time and whilst it picks up regular attempts to access PC not all attempts are malicious - for example your ISP server may check if your connection is still up if you have been idle for a while - (your PC, not you personally or you would be getting alerts all the time M8 )
But, still have to be cautious.
Paranoia hat off - I have been running Zonealarm for some time and whilst it picks up regular attempts to access PC not all attempts are malicious - for example your ISP server may check if your connection is still up if you have been idle for a while - (your PC, not you personally or you would be getting alerts all the time M8
)But, still have to be cautious.
29 December 2000, 06:43 PM
#30
Scooby Regular
Join Date: Nov 2000
Posts: 3,081
Likes: 0
Received 0 Likes
on
0 Posts
Having read this thread earlier in the week, I down loaded Zone Alert as suggested by several folk. Yesterday my usual ISP (Lineone) wasn't working properly (too many Xmas puters I guess!) so I connected using my ic24 account. Got 10 "PING" reports inside 2 minutes, all from different addresses. They are all from what look like US providers. Any experts able to explain what was going on?
G (who's decided that maybe he doesn't really want to use ic24 anymore!)
G (who's decided that maybe he doesn't really want to use ic24 anymore!)