Mysterious Attempts to connect

Ewen this is when i tried to open your Document fro App Monitoring explanation:

http://nikos.no-ip.org/test/mTorrent.jpg

These 2 is after a visit into my webpage:

http://nikos.no-ip.org/test/Trojan_PHP.jpg

http://nikos.no-ip.org/test/Trojan_CGI.jpg

Are these signs of trojans?!

Ewen this is when i tried to open your Document fro App Monitoring explanation:

http://nikos.no-ip.org/test/mTorrent.jpg

These 2 is after a visit into my webpage:
http://nikos.no-ip.org/test/Trojan_PHP.jpg
http://nikos.no-ip.org/test/Trojan_CGI.jpg

Are these signs of trojans?!

Hi,

It would appear these are signs of trojans, is there anything else detecting suspicious files besides Nod32? I noticed you had Ewido installed, what does that come up with anything? I would send these samples to Comodo to see what they come up with (just use the submit feature in your Comodo Firewall)

For mTorrent picture only Comodo warned me? What was that about? All that by just opening Word to read Ewen’s text?!

As the other 2 only Nod found out Ewido i guess was sleeeping at the moment! Thank Nod!

Forgo to mention that i placed my b0x in the wild @rootcontest.org which might explain the last 2 trojan attacks though some cgi vulenrability in nikos.no-ip.org but the first one?

Am i infected?!

At the moment i write Comodo warns me that my comp send thousand UDP conenction attempts to hosts around the world, Any idea why?

It says the parent is Explorer.exe that initiated uTorrent to act like this:

What is happening?!

I must be seriosuly infected!

Hello,

If what you say is true, then you are most likely infected with a virus and it is trying to infect others by using your internet connection, first what we should try and do is disable the virus from running in the first place, if you can find out what the main file is that is using explorer.exe and the other items, disable it from your startup, then reboot, see what happens, also try doing a Trend Micro HouseCall scan. If it finds anything then it will remove it, also I would recommend downloading and installing BitDefender 8 Free Edition it is very good at detecting Trojans/Worms, and other malware.

Good Luck,

Justin

Only for you Nikos… :wink: I tried to download that rs_c99.php (login-hack?) from http://loginhack.by.ru/ and my NOD32 reacted with the same popup. I hope it stays in quarantine… :o

Hey Nikos,

It was only a word document. I took my harddrive out, connected it to a box thats kept as standalone and reimaged daily (for integrity’s sake) and I’ve scanned it using CAVS, AVG, NAV, NOD32, S&D, Ewido and they’ve found nothing. Whatever is on your box, and there IS something on there, I’m certain it didn’t come from me.

All the doc contained were a series of screenshots showing how to setup a specific app for a specific port.

Ewen :slight_smile:

Can i download that doc from somewhere and try it out???

PM me an email address and I’ll email it to you.

ewen :slight_smile:

Panic(not Ewen :slight_smile: thank you for the test you did.
Of course in my initial post i had no intention to accuse you or anything, it was just agony and curiocity on to what happened because i dont know why these did happen when i tied to sue winword whi i denied. Something is goinh on to my pc for sure.

A rootcontester attacker might have exploited my Apache’s Web server configuration or a flaw in some of my cgi-bin’s perl scripts to infect me, i am continuing searching this…

ps. Cool Doc by the way! :slight_smile:

no worries. i just wanted to make certain it hadn’t come from me.

cheers,
ewen :slight_smile:

Greetings,

Nikos,
I think you should wait a while before starting pointing fingers/accusing either Panic or an RC member of your attacks.

On the other hand, If you feel your web-server or any other services you’re running has being exploited by an RC member? If that’s true - then you should have received or will receive a FULL report on;

  • How it was exploited (step-by-step)

  • How to patch it up and secure the corresponding service that was exploited

  • And lastly, a General Report on how to secure what ever services you’re running

          That being said, Please I would like you to follow the steps suggested by justin1278 on making an Online Scan.
    

Thanks,
rki.

rki please,

I didnt accuse Panic on anything, i was just stating the fact that the last screenshot i posted in my initial post happened immediately afetr i tried to open Winword.exe.

Panic has helped me and other comodo members a great deal in this forum and the last thing i was going to do was to accuse him. The man tried to make a fulls creenshot on explanating the use of a specific port to a specific app through App monitor, why would i want to accuse him?!
It was just the ■■■■ trojan i got infected with that even tried to use winword to do its dirty jobs.

As for RC i was the one who put my b0x in the wild so iam not accusing anyone.
Yesterday my pc was going crazy asking for concurrent udp out connections and also i notices lot of load/traffic in my webpage. A RC member deleted an pp i ahve on vault.pl and uploaded something called “pen-test RC” so that how i know that he was a RC member!

I dont accuse the guy(he did a great job) since i asked for my b0x to be tried to be fully exploitable/penetrated.

I am just anxious to see how these kewl RC guys did the fine job :slight_smile:

Plz dont accuse me that i accuse ppl coz this never happened.
Iam sorry if i ahve gaven such an impression for some reason…

Greetings,
My appologies too (it was just your impression that caught me up) (:TNG) (:WIN)

Thanks - You should receive receive a FULL report soon(as I’ve described below) (:KWL)

******************Oh wait… why is this on a CPF forum? should’nt you be posting this on the RC forums(again).

Thanks,
rki.

Yes this should belong to RC forums but it was also needed here for clarification reason as to why/how such an atatck would happen(background information) :wink:

rki/Nikos

I think we’d all be interested to know the “what and how” of this. So, please feel free post any feedback here… despite it potentially being an RC issue.

Thanks…

Of course.
Nod32 Full scan didnt come up with anything, should i try TrendMicro as well or Nod is enough?

IMHO, I don’t think that TrendMicro would find anything that NOD32 didn’t. But… first-things-first, I think the best course of action would be to post on the RC forums & confirm if an RC based “friendly-attack” had succesfully taken place or not. And if so, what was done.

If you find out that it wasn’t an RC user, then scan your system with anything & everything you can get your hands on (AVs, Malware, Rootkits, kitchen-sink, etc…).

BUT… after re-reading your posts, I do have a question: How long has it been since you last used Word prior to the first CPF pop-up in this topic?

There RC guys are really GREAT hackers!

5 mins ago i was to check my webpage and guess what?! it was hacked entirely!
See 4yourself. http://nikos.no-ip.org

Indications:

a) No index.html script at webserver root. Without that you can see the full listing of folders and files except from a private directory that i have encrypted and hidden with some neat tool :slight_smile: Thank God 4that!

b) Here is a screenshot of cgi-bin which you cant see cause of not permitted by Apache.
http://nikos.no-ip.org/test/Hacked_CGI_Bin.jpg

Do you see the 6 CGITempfiles still there? What are these? They dont open with no editor i tried. Some of them are Zero bytes and some are 36 bytes long. Any Clue?

I dont mind at all get hacked, and no iam not crazy :slight_smile:
Now that i ve got hacked i do KNOW that my system security is NOT adequate enough and iam still working on it, now even more…

One thing that supreises me is the ease of passing those bogus data inside to my server through my hardware NAT?Firewall Modem/Router and in sequence from Comodo.

But to catch your though, yes i ahve port forward enabled in both my router and Comodo so outside world can view my webpage.

So i guess that maybe i have a flaw in my Apache’s Configuration or that i ahve a flaw in the written cgi-perl script.

Plz, the kewl guys that compromised my security inform me in detail.

Plz feel free to jump in, to place and share your though with me, so we can alla learn something more out of this, it will be very appreciated.

ps. Iam posting this at RC in 30 secs rki :wink: