Am I under attack?

[juliemass]

I was running as Power User in W2K and was preparing to shut down for the day when i noticed a lot of activity on my communications meter. Even though all my browsers were closed, there was a lot of data leaving my computer. I ran netstat, here is a tiny sample of the first netstat run:

Proto Local Address Foreign Address State
TCP local:2302 175.211.228.122:http SYN_SENT
TCP local:2303 32.214.3.193:http SYN_SENT
TCP local:2305 103.44.69.54:http SYN_SENT
TCP local:2306 215.156.109.25:http SYN_SENT
TCP local:2307 42.125.64.68:http SYN_SENT
TCP local:2308 22.49.241.145:http SYN_SENT
TCP local:2309 4.118.141.182:http SYN_SENT
TCP local:2310 103.94.248.146:http SYN_SENT
TCP local:2311 148.63.65.31:http SYN_SENT
TCP local:2312 126.111.60.135:http SYN_SENT
TCP local:2313 19.17.233.166:http SYN_SENT
TCP local:2314 139.169.124.80:http SYN_SENT
etc etc etc

Some of these foreign addresses are Department of Defense, NASA, and Ford Motor Company. What the heck???

I shut down, rebooted into W2K as Admin, and right away it started again, netstat showing more consecutive ports being SYN_SENT to weird foreign addresses.

I ran PestPatrol and HouseCall online AV, nothing detected.

I found the following definition: "SYN-SENT - represents waiting for a matching connection request after having sent a connection request."

What's happening here? Is my computer trying to talk to NASA or The Defense Department?


Thanks,

jm

[Doc]

You might want to run AdAware and install Zone Alarm.

ZA will let you know which program on your computer is trying to contact out.

Doc

[juliemass]

Hi Doc,

I ran AdAware, it found and deleted something in the registry called Alexa. I also reinstalled Tiny Personal Firewall so I'll see if i can spot the culprit.

Thanks for the suggestions, I like that AdAware program, very easy to use.

jm

[Tuttle]

Alexa is an addin that sits in IE - it's annoying, but shouldn't cause that sort of behaviour.

Yes, it does appear that your PC is trying to connect to those web servers.

Have a play with TCPView and see if you can find the process which is initiating all those connections - that's probably your best starting point.

[jerryctx]

Sounds like a Trojan is generating DDoS attacks against those sites. Try downloading the free Trojan scan from here:


http://www.webattack.com/get/ants.shtml

[juliemass]

Thanks for the suggestions!

jerry, Ants is a very cool tool, very fast, just the way i like my scans. It didn't find anything though. Do you think there may actually still be a trojan someone on my computer, or was this all happening from a remote somehow?

Tuttle, TCPView is also great. I love that you can close a connection or end a process with just a quick click, and the port/connection activity is so easy to monitor because of the bright highlighting.

I had a problem-free day today, but i will keep an eye on that little TCPView monitor throughout the day to see what happens if/when all those weird syn-sents start again. Just what I need, another gizmo on my desktop....but I guess it's cheap insurance.

For what it's worth, I was without a firewall when the weirdness happened. I then installed TinyPersonalFirewall and had no problems, but I also had no notifications from Tiny that anything questionable was inbound or outbound, so maybe whatever it is, it is napping or on vacation. I guess it's just wait and see for now, or if there are any further suggestions i am all ears.

jm

[jerryctx]

It is possible for a Trojan to hide from a firewall by hi-jacking an application you allow to access the net... typically your browser.

If it happens again, Ctrl-Alt-Del to see if your browser is active.

[Daufuski]

Very interesting story of what is going on. You aren't by chance running IIS are you?

Tiny Firewall uses MD5 signatures to define applications and while it is possible it is more difficult to fake a MD5.

DoD and NASA, could this be the long awaited magic lantern?

...dauf

[jerryctx]

If you mean the FBI's rumored key logger why would they be sending to DOD, Ford, etc.?

[Daufuski]

Just being funny really...

[jerryctx]

I can see that now. I always enjoy a joke as soon as its explained to me.

[juliemass]

Hi Daufuski! I really don't know what IIS is or if I am running it. It is not listed under TaskManager/Applications, but under TaskManager/Processes there is something called inetinfo.exe. Is this IIS? Is this a bad thing?

Hi jerryctx! During the workday i typically run at least 12 browser windows simultaneously, often as many as 30. So if this happens again, should I first close all the open browsers and then Ctrl-Alt-Del ? What am I loking for when i Ctrl-Alt-Del ? This will bring up TaskManager, so then I should just look at Applications to see what's running?

I like a good joke too, but the frightening thing is I have many password-protected accounts that I access daily using the computer and I'd hate to think anything's been compromised. If there's a keystroke logger at work here, then even if I change my passwords I am still compromised. Can't the scans detect a trojan that hijacked a browser or something other program?

If it helps, here's some more of the syn_sent foreign addresses


UUNET Technologies
Trend Micro Incorporated
Akamai Technologies
Philip Morris International
IANA
No Match
Amateur Radio Digital Communications
Network Research Corporation Japan
Apple Computer, Inc
DuPont
European Regional Internet Registry
has no reverse DNS configured (many like this)
SAP AG
MCI Telecommunications


thanks,

jm

[fink]

Hi.. have a look at this page and see if any of the info provided applies.

http://www1.worldcom.com/uunet/be/customer/alert/

It looks like there may be a Code Red infection on your PC which was alluded to by Jerryctx. Even if it isn't then there's a patch that is discussed on that page that prevents it in the future. Having inetinfo.exe in ctrl/alt/del shows that the patch, which is available from Microsoft, has not yet been applied to your machine.

[juliemass]

Hi Fink, nice to see you again!

I found the link very informative. Yes it sounds very similar to what happened to me, I found the fix in the link somewhat confusing, so I went to Symantec and ran their CodeRed I and II detect/fix program. It said my system was vulnerable and that i had to download the patch before they could run the detection program. I downloaded SP2 (I didn't even have SP1) as well as the patch, ran Symantec, and no CodeRed was found. (BTW, inetinfo.exe still shows as a process in TaskManager.) I then went to TrendMicro and ran their CodeRedB and C detectors, I'm clean.

I wonder if I am safe now with patch in place and firewall in use. Would I be better off removing IIS completely? I've never used it, don't even know what it is. All I do is run W2000pro on 1 computer, I'm not doing any networking or server stuff.

Thanks,

jm

[jerryctx]

Re ctrl+alt+del - Shut down all instances of IE, then look for Explorer listed by Task Manager.

Re key logger - Daufuski was joking. Your symptoms don't make sense for a key logger.

Actually, your symptoms don't make sense for a DDoS attack either. All the Syns would be to a single site. Its not a scan; the URLs would be in sequence. With 30 windows open is there any chance these are legit links?