I was running as Power User in W2K and was preparing to shut down for the day when i noticed a lot of activity on my communications meter. Even though all my browsers were closed, there was a lot of data leaving my computer. I ran netstat, here is a tiny sample of the first netstat run:

Proto Local Address Foreign Address State
TCP local:2302 175.211.228.122:http SYN_SENT
TCP local:2303 32.214.3.193:http SYN_SENT
TCP local:2305 103.44.69.54:http SYN_SENT
TCP local:2306 215.156.109.25:http SYN_SENT
TCP local:2307 42.125.64.68:http SYN_SENT
TCP local:2308 22.49.241.145:http SYN_SENT
TCP local:2309 4.118.141.182:http SYN_SENT
TCP local:2310 103.94.248.146:http SYN_SENT
TCP local:2311 148.63.65.31:http SYN_SENT
TCP local:2312 126.111.60.135:http SYN_SENT
TCP local:2313 19.17.233.166:http SYN_SENT
TCP local:2314 139.169.124.80:http SYN_SENT
etc etc etc

Some of these foreign addresses are Department of Defense, NASA, and Ford Motor Company. What the heck???

I shut down, rebooted into W2K as Admin, and right away it started again, netstat showing more consecutive ports being SYN_SENT to weird foreign addresses.

I ran PestPatrol and HouseCall online AV, nothing detected.

I found the following definition: "SYN-SENT - represents waiting for a matching connection request after having sent a connection request."

What's happening here? Is my computer trying to talk to NASA or The Defense Department?


Thanks,

jm

You might want to run AdAware and install Zone Alarm.

ZA will let you know which program on your computer is trying to contact out.

Doc

Hi Doc,

I ran AdAware, it found and deleted something in the registry called Alexa. I also reinstalled Tiny Personal Firewall so I'll see if i can spot the culprit.

Thanks for the suggestions, I like that AdAware program, very easy to use.

jm

Alexa is an addin that sits in IE - it's annoying, but shouldn't cause that sort of behaviour.

Yes, it does appear that your PC is trying to connect to those web servers.

Have a play with TCPView (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) and see if you can find the process which is initiating all those connections - that's probably your best starting point.

Sounds like a Trojan is generating DDoS attacks against those sites. Try downloading the free Trojan scan from here:


http://www.webattack.com/get/ants.shtml

Thanks for the suggestions!

jerry, Ants is a very cool tool, very fast, just the way i like my scans. It didn't find anything though. Do you think there may actually still be a trojan someone on my computer, or was this all happening from a remote somehow?

Tuttle, TCPView is also great. I love that you can close a connection or end a process with just a quick click, and the port/connection activity is so easy to monitor because of the bright highlighting.

I had a problem-free day today, but i will keep an eye on that little TCPView monitor throughout the day to see what happens if/when all those weird syn-sents start again. Just what I need, another gizmo on my desktop....but I guess it's cheap insurance.

For what it's worth, I was without a firewall when the weirdness happened. I then installed TinyPersonalFirewall and had no problems, but I also had no notifications from Tiny that anything questionable was inbound or outbound, so maybe whatever it is, it is napping or on vacation. I guess it's just wait and see for now, or if there are any further suggestions i am all ears.

jm

It is possible for a Trojan to hide from a firewall by hi-jacking an application you allow to access the net... typically your browser.

If it happens again, Ctrl-Alt-Del to see if your browser is active.

Very interesting story of what is going on. You aren't by chance running IIS are you?

Tiny Firewall uses MD5 signatures to define applications and while it is possible it is more difficult to fake a MD5.

DoD and NASA, could this be the long awaited magic lantern?

...dauf

If you mean the FBI's rumored key logger why would they be sending to DOD, Ford, etc.?

Just being funny really...

I can see that now. I always enjoy a joke as soon as its explained to me.

:D

Hi Daufuski! I really don't know what IIS is or if I am running it. It is not listed under TaskManager/Applications, but under TaskManager/Processes there is something called inetinfo.exe. Is this IIS? Is this a bad thing?

Hi jerryctx! During the workday i typically run at least 12 browser windows simultaneously, often as many as 30. So if this happens again, should I first close all the open browsers and then Ctrl-Alt-Del ? What am I loking for when i Ctrl-Alt-Del ? This will bring up TaskManager, so then I should just look at Applications to see what's running?

I like a good joke too, but the frightening thing is I have many password-protected accounts that I access daily using the computer and I'd hate to think anything's been compromised. If there's a keystroke logger at work here, then even if I change my passwords I am still compromised. Can't the scans detect a trojan that hijacked a browser or something other program?

If it helps, here's some more of the syn_sent foreign addresses


UUNET Technologies
Trend Micro Incorporated
Akamai Technologies
Philip Morris International
IANA
No Match
Amateur Radio Digital Communications
Network Research Corporation Japan
Apple Computer, Inc
DuPont
European Regional Internet Registry
has no reverse DNS configured (many like this)
SAP AG
MCI Telecommunications


thanks,

jm

Hi.. have a look at this page and see if any of the info provided applies.

http://www1.worldcom.com/uunet/be/customer/alert/

It looks like there may be a Code Red infection on your PC which was alluded to by Jerryctx. Even if it isn't then there's a patch that is discussed on that page that prevents it in the future. Having inetinfo.exe in ctrl/alt/del shows that the patch, which is available from Microsoft, has not yet been applied to your machine.

Hi Fink, nice to see you again!

I found the link very informative. Yes it sounds very similar to what happened to me, I found the fix in the link somewhat confusing, so I went to Symantec and ran their CodeRed I and II detect/fix program. It said my system was vulnerable and that i had to download the patch before they could run the detection program. I downloaded SP2 (I didn't even have SP1) as well as the patch, ran Symantec, and no CodeRed was found. (BTW, inetinfo.exe still shows as a process in TaskManager.) I then went to TrendMicro and ran their CodeRedB and C detectors, I'm clean.

I wonder if I am safe now with patch in place and firewall in use. Would I be better off removing IIS completely? I've never used it, don't even know what it is. All I do is run W2000pro on 1 computer, I'm not doing any networking or server stuff.

Thanks,

jm

Re ctrl+alt+del - Shut down all instances of IE, then look for Explorer listed by Task Manager.

Re key logger - Daufuski was joking. Your symptoms don't make sense for a key logger.

Actually, your symptoms don't make sense for a DDoS attack either. All the Syns would be to a single site. Its not a scan; the URLs would be in sequence. With 30 windows open is there any chance these are legit links?

Hi jerry,

Re ctrl+alt+del - Shut down all instances of IE, then look for Explorer? or look for IE?

Re sequence - netstat shows that my ports sequentially sent out syn_sents to different IPs...does the sequential nature of my ports sending out things indicate anything?

All the browsers are totally legit, stockbroker trading windows and charting windows and their related sites.

It sounds very much like the CodeRed explained in fink's link, but no trojan was found on my system. I hope this means that there actually is no trojan, rather than meaning there might be an undetectable trojan on my system.

Would some kind soul out there with W2000pro and with a trojan-free system look at their registry and tell me if this is what they have:

HKLM SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts Value = d:\inetpub\scripts,,204

HKLM
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\MSADC Value = d:\program files\common files\system\msadc,,205

All the other values on for the keys on that path end in 201, except for the IISAdmin key which has a value ending in 5201.

Is this what you guys have?

Thanks,

jm

Are you running a personal web server? Is dllhost also running? Look at this page to remove IIS.
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/iiiisin.htm
Yes, it's server, but when IIS is installed and active in pro, it's the same.
NOTE: IIS can be installed as part of other Microsoft products, such as Microsoft BackOffice and Microsoft Site Server. MDAC can be installed as part of other Microsoft products, such as Visual C and Microsoft Office.
Also have a try with this, it has solved some wacked mcaffe stuff, and a couple of other mysteries for me.
http://www.webattack.com/get/bho.shtml
It's called bhocaptor.
Adaware might be a good idea, too.

Inetpub is the root directory for a web server.

Looks like IIS is running and you will need to disable and uninstall it.

IIS is not needed if you are not hosting a website and should be uninstalled. It does appear you have some variation of a "Code Red", which isn't really a trojan at all, but a remote attacker.

Adding a few lines to Coder Red to alter the IP of the places you were wanting to attack (NASA, DoD, PM, etc..) really isn't too difiicult to acheive.

I know this isn't what you were wanting to hear, but you are very likely infected. Virus companies always have a solution on how to get your machine back, but your machine is rarely left unaffected. Personally, I wouls save all data I really needed, then do a low level format and reinstall the OS, but that is just me.

...dauf

Hi downtime, No I am not running a personal web server, dllhost is not running, but in Processes there are 2 svchost.ese running, if that matters. I have MDAC files on both my c: (W98) and d: (W2000). Adware found nothing, and bhoc only found AcroIeHelper in the Adopbe Acrobat folder. Yes I have an Inetpub folder on d:

Hi Daufuski, according to fink's link, CodeRed " installs a Trojan Horse on your system. A Trojan Horse allows external Internet users to get access to your computer, server or network. It is obvious this implies a real danger whereas security is concerned." And according to http://www.europe.f-secure.com/v-descs/bady.shtml
"The most important feature of Code Red II is that it installs a backdoor into systems it infects. This is accomplished by copying the standard Windows NT/2000 command interpreter "cmd.exe" into web server's "scripts" directory. "

What i want to know is, now that I have Tiny Personal Firewall running, is the back door closed? Do I even have a back door? In my D:\Inetpub\Scripts I have just 3 files, each of 0 size. I can't find anything that looks like cmd.exe in Inetpub.

jm

As asked in your previous post about uninstalling IIS - definitely uninstall it if you are not using it.

As for various scanners not "seeing" a virus or trojan, changing parameters inside a virus or bug can sometimes fool AV scans. I have seen several known virus files, which when altered, could not be picked up by scans. So, it is possible to have a scan return a false "all clear".

If you have any of these you likely have Code Red:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
these are well known and seem to be the same regardless of which variant.

Hope all goes well ...dauf

Hi Daufuski! None of those files are on my computer. I will uninstall IIS immediately.

jm

Hi, Julie. I know the ports don't seem to match, but look at this bit from Steve Gibsonn's site.


All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be detected with the following command:

netstat -an | find ":6667"

Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:

TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED

. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!

A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:

netstat -an | find ":113 "

As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:

TCP 0.0.0.0:113 0.0.0.0:0 LISTENING

. . . then it's probably time to pull the plug on your cable-modem!

Also, there are progs that can piggy back on another processes. Once you uninstall IIS, keep an eye on the ports to see if your machine is still sending.