Am I under attack?

Hi jerry,

Re ctrl+alt+del - Shut down all instances of IE, then look for Explorer? or look for IE?

Re sequence - netstat shows that my ports sequentially sent out syn_sents to different IPs...does the sequential nature of my ports sending out things indicate anything?

All the browsers are totally legit, stockbroker trading windows and charting windows and their related sites.

It sounds very much like the CodeRed explained in fink's link, but no trojan was found on my system. I hope this means that there actually is no trojan, rather than meaning there might be an undetectable trojan on my system.

Would some kind soul out there with W2000pro and with a trojan-free system look at their registry and tell me if this is what they have:

HKLM SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts Value = d:\inetpub\scripts,,204

HKLM
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\MSADC Value = d:\program files\common files\system\msadc,,205

All the other values on for the keys on that path end in 201, except for the IISAdmin key which has a value ending in 5201.

Is this what you guys have?

Thanks,

jm

Are you running a personal web server? Is dllhost also running? Look at this page to remove IIS.
http://www.microsoft.com/windows2000...re/iiiisin.htm
Yes, it's server, but when IIS is installed and active in pro, it's the same.
NOTE: IIS can be installed as part of other Microsoft products, such as Microsoft BackOffice and Microsoft Site Server. MDAC can be installed as part of other Microsoft products, such as Visual C and Microsoft Office.
Also have a try with this, it has solved some wacked mcaffe stuff, and a couple of other mysteries for me.
http://www.webattack.com/get/bho.shtml
It's called bhocaptor.
Adaware might be a good idea, too.

Inetpub is the root directory for a web server.

Looks like IIS is running and you will need to disable and uninstall it.

IIS is not needed if you are not hosting a website and should be uninstalled. It does appear you have some variation of a "Code Red", which isn't really a trojan at all, but a remote attacker.

Adding a few lines to Coder Red to alter the IP of the places you were wanting to attack (NASA, DoD, PM, etc..) really isn't too difiicult to acheive.

I know this isn't what you were wanting to hear, but you are very likely infected. Virus companies always have a solution on how to get your machine back, but your machine is rarely left unaffected. Personally, I wouls save all data I really needed, then do a low level format and reinstall the OS, but that is just me.

...dauf

Hi downtime, No I am not running a personal web server, dllhost is not running, but in Processes there are 2 svchost.ese running, if that matters. I have MDAC files on both my c: (W98) and d: (W2000). Adware found nothing, and bhoc only found AcroIeHelper in the Adopbe Acrobat folder. Yes I have an Inetpub folder on d:

Hi Daufuski, according to fink's link, CodeRed " installs a Trojan Horse on your system. A Trojan Horse allows external Internet users to get access to your computer, server or network. It is obvious this implies a real danger whereas security is concerned." And according to http://www.europe.f-secure.com/v-descs/bady.shtml
"The most important feature of Code Red II is that it installs a backdoor into systems it infects. This is accomplished by copying the standard Windows NT/2000 command interpreter "cmd.exe" into web server's "scripts" directory. "

What i want to know is, now that I have Tiny Personal Firewall running, is the back door closed? Do I even have a back door? In my D:\Inetpub\Scripts I have just 3 files, each of 0 size. I can't find anything that looks like cmd.exe in Inetpub.

jm

As asked in your previous post about uninstalling IIS - definitely uninstall it if you are not using it.

As for various scanners not "seeing" a virus or trojan, changing parameters inside a virus or bug can sometimes fool AV scans. I have seen several known virus files, which when altered, could not be picked up by scans. So, it is possible to have a scan return a false "all clear".

If you have any of these you likely have Code Red:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
these are well known and seem to be the same regardless of which variant.

Hope all goes well ...dauf

Hi Daufuski! None of those files are on my computer. I will uninstall IIS immediately.

jm

Hi, Julie. I know the ports don't seem to match, but look at this bit from Steve Gibsonn's site.


All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be detected with the following command:

netstat -an | find ":6667"

Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:

TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED

. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!

A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:

netstat -an | find ":113 "

As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:

TCP 0.0.0.0:113 0.0.0.0:0 LISTENING

. . . then it's probably time to pull the plug on your cable-modem!

Also, there are progs that can piggy back on another processes. Once you uninstall IIS, keep an eye on the ports to see if your machine is still sending.