network hijacked

pazsion · September 28, 2010, 7:06am

169.254.243.56 is now blocked

NetRange: 169.254.0.0 - 169.254.255.255 CIDR: 169.254.0.0/16 OriginAS: NetName: LINKLOCAL-RFC3927-IANA-RESERVED NetHandle: NET-169-254-0-0-1 Parent: NET-169-0-0-0-0 NetType: IANA Special Use NameServer: BLACKHOLE-1.IANA.ORG NameServer: BLACKHOLE-2.IANA.ORG Comment: This is the "link local" block. It was set Comment: aside for this special use in the Standards Comment: Track document, RFC 3927 and was further Comment: documented in the Best Current Practice Comment: RFC 5735, which can be found at: Comment: http://www.rfc-editor.org/rfc/rfc3927.txt Comment: http://www.rfc-editor.org/rfc/rfc5735.txt Comment: It is allocated for communication between hosts Comment: on a single link. Hosts obtain these addresses Comment: by auto-configuration, such as when a DHCP Comment: server cannot be found. Comment: A router MUST NOT forward a packet with an IPv4 Comment: Link-Local source or destination address, Comment: irrespective of the router's default route configuration Comment: or routes obtained from dynamic routing protocols. Comment: A router which receives a packet with an IPv4 Comment: Link-Local source or destination address MUST NOT Comment: forward the packet. This prevents forwarding of Comment: packets back onto the network segment from which Comment: they originated, or to any other segment. RegDate: 1998-01-27 Updated: 2010-03-15 Ref: http://whois.arin.net/rest/net/NET-169-254-0-0-1 OrgName: Internet Assigned Numbers Authority OrgId: IANA Address: 4676 Admiralty Way, Suite 330 City: Marina del Rey StateProv: CA PostalCode: 90292-6695 Country: US RegDate: Updated: 2004-02-24 Ref: http://whois.arin.net/rest/org/IANA OrgTechHandle: IANA-IP-ARIN OrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-301-5820 OrgTechEmail: abuse@iana.org OrgTechRef: http://whois.arin.net/rest/poc/IANA-IP-ARIN OrgAbuseHandle: IANA-IP-ARIN OrgAbuseName: Internet Corporation for Assigned Names and Number OrgAbusePhone: +1-310-301-5820 OrgAbuseEmail: abuse@iana.org OrgAbuseRef: http://whois.arin.net/rest/poc/IANA-IP-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #

Dennis2 · September 28, 2010, 7:11am

Please read here.

pazsion · September 28, 2010, 7:13am

nimda was a detected trojan on port 445

common files shareing and microsoft.de use this port as well…

a BSOD also happened during the hijack… saying bad pool call…

no this was not me enableing stealth ports… this happened while ports were stealthed

all pc’s in the network are not able to connect, and are given this ip addy… instead of the actual router…

it is a trojan apparantly… with a ping time of 10ms… it’s origin is inside the network, or very close to us…

Port,Trojan(s),Description,Response time
-,Port open (1),
,21,PORT_21_TROJANS,ADM worm, Back Construction, Blade Runner, BlueFire, Bmail, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, FreddyK, Invisible FTP, KWM, MscanWorm, NerTe, NokNok, Pinochet, Ramen, Reverse Trojan, RTB 666, The Flu, WinCrash, Voyager Alpha Force,12

mouse1 · September 28, 2010, 8:45am

This does not seem like an bug/issue, so I’ll move this to help until this is clarified if you don’t mind

Best wishes

Mouse

rhgtyink · September 28, 2010, 9:29am

How do you know it was Nimda?

a BSOD also happened during the hijack.. saying bad pool call..

Do you have a minidump in c:\windows\minidump

no this was not me enableing stealth ports... this happened while ports were stealthed
all pc’s in the network are not able to connect, and are given this ip addy… instead of the actual router…

Can you please post a screenshot of your global rules, it could be possible there are rules that allow incoming local traffic to TCP445 so it’s not caused by stealth but the traffic is allowed.

it is a trojan apparantly.. with a ping time of 10ms... it's origin is inside the network, or very close to us..
Port,Trojan(s),Description,Response time
-,Port open (1),
,21,PORT_21_TROJANS,ADM worm, Back Construction, Blade Runner, BlueFire, Bmail, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, FreddyK, Invisible FTP, KWM, MscanWorm, NerTe, NokNok, Pinochet, Ramen, Reverse Trojan, RTB 666, The Flu, WinCrash, Voyager Alpha Force,12

Not sure where this output is from but how do you determine who the source is of this attack?
Port 21 is normally owned by FTP server, are you running FTP server on that system?

pazsion · September 28, 2010, 11:01pm

well, it was detected thats all i can say for sure…using axence net tools and scanning my ports on the local network, give then open port 21 and nimda

no we do not have an ftp server, and this port should not be open.

svchost.exe is acting strangely and is using ports 21 and 445

it even is registering it’s own ip addy with our router…separately from any of the other pc’s in the networks

and this is a serious issue, and a bug as comodo can not prevent these connections… i’ve blocked them individually… and can not block any ports…

i can not terminate the individual connections and blocking all, the connections still persist…

i have to go to work now so i’ll leave this info you requested… hopefully we can correct this.

another pc named runthemd was logged on the same ip that my pc used for a short time. blocking this allowed my pc to gain internet and work correctly

but a round of dos and port scans followed…

svchost.exe seems to be apart of this…

i ran a regitry cleaner from auslogics to try and correct other issues

i also removed the aforementioned ip from the block list… until i see it trying to gain access again… i have also reported it to comcast

[attachment deleted by admin]

pazsion · September 29, 2010, 2:27am

runthemd is my house guest’s pc… which uses wifi, but should not have been able to be assigned the same ip as another pc using that one… so not the offending pc… i’ve loaded comodo on his pc, since he had nothing…

10.0.0.12 is an un-authorized access, and not an ip registered to any pc at any time in the past , this is an ip given to svchost.exe for some strange reason… it is not visiable on the attached devices router logs…

so maybe this is a pc actually remotely connecting to a pc in the network, and that pc gave it that ip… almost impossible without comodo asking me to give svchost.exe rights to do so i thought… unless it’s just hiding itself, or burst connecting… as i’ve witnessed several times recently via many diffrent wifi connections, attempting to access our router…they just ping, and port scan, and rotate ip’s…

the wifi has been knocked off several times throughout the day… despite having an awesome signal…his pc uses a wifi-n adapter with 3 very large antenne… only thing that would knock this out is something working on the same frequency… or jamming-eavesdropping device, near by and also tapped in a hard line somewhere…

my pc is disc0onnected and offline until we can determine that this is not a threat. OR the trojans are no longer detected… so far, i’ve determined that it’s not coming from inside the network, but is being broadcast widely in our area. i’ve done the same types of scan with other software, on several other pc’s in the neighborhood. attempting to find a source i can physically see or detect. and the same results are given. when i do hops scans or ip traces, the ip’s disappear. but i’ve narrowed it down to about a 5 mile radius and a few means of access.

my pc is the only one that has these strange svchost.exe activity…using ip’s outside the range of ip’s assigned to pc’s in our network. but so far has not detected any malware on the pc itself. i only connect it when comodo has an update, and then scan it off-line…if nothing is found by tommaro i’ll do an online scan hopeing the cloud will detect it. but so far, nothing has stopped these attacks indefiniately

pazsion · September 29, 2010, 3:18am

83 results -.- on my friends pc…

:-[

attached is the results list

[attachment deleted by admin]

rhgtyink · September 29, 2010, 6:50am

Did you happen to save the binaries?