Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
A Rat at E-Buyer ???
- Thread starter Abarbarian
- Start date
Ian
Administrator
- Joined
- Feb 23, 2002
- Messages
- 19,873
- Reaction score
- 1,499
It's probably a false alarm if you've been on their site, as something hosting on the image subdomain could have triggered it. I wouldn't worry about it 
I've seen things like this in my firewall logs quite a few times when I used Zone Alarm, not checked my Kaspersky logs for this though.
Which firewall app are you using out of curiosity?
I've seen things like this in my firewall logs quite a few times when I used Zone Alarm, not checked my Kaspersky logs for this though.
Which firewall app are you using out of curiosity?
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
I'm using Mc Afee . I find it quite worrying that a company I am doing business with is trying to access my pc with this kind of software.
http://en.wikipedia.org/wiki/Remote_administration_tool
http://en.wikipedia.org/wiki/Remote_administration_tool
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
One RAT may be a mistake.
Two RATS may be incompetence.
Three or more RATS and I start to worry.
These are just a few of the many attempts by a pc at e-buyer to access my computer. What I want to know is what is the function of these TROJANS I see in my logs.
I am going to send an e-mail to E-Buyer asking whats going on. I shall also be asking some questions about this from other folk.
I will report later.
Two RATS may be incompetence.
Three or more RATS and I start to worry.
These are just a few of the many attempts by a pc at e-buyer to access my computer. What I want to know is what is the function of these TROJANS I see in my logs.
I am going to send an e-mail to E-Buyer asking whats going on. I shall also be asking some questions about this from other folk.
I will report later.
Attachments
Ian
Administrator
- Joined
- Feb 23, 2002
- Messages
- 19,873
- Reaction score
- 1,499
It could be that some sort of port scanner is running on that IP, which would probe your PC for vulnerabilities. Certainly worth e-mailing over now that it's happened more than once.
You don't need to worry that it's doing any harm though (although I know that's not the point), as your firewall has caught it and it isn't someone attempting to place/activate a trojan - but probe your PC for vulnerabilities.
You don't need to worry that it's doing any harm though (although I know that's not the point), as your firewall has caught it and it isn't someone attempting to place/activate a trojan - but probe your PC for vulnerabilities.
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
Which raises the question 'Why would anyone want to probe my pc for vunerabilities'. How does that fit into normal business practice.
I have been on the E-Buyer site while I have this particular address blocked and the site loads slower than normal.
I'm still suspicious though.
I have been on the E-Buyer site while I have this particular address blocked and the site loads slower than normal.
I'm still suspicious though.
Ian
Administrator
- Joined
- Feb 23, 2002
- Messages
- 19,873
- Reaction score
- 1,499
Abarbarian said:
I agree with you
, there isn't any reason why they should be doing that - I'm just wondering if all as if it seems. I don't know if it's possible for someone to spoof the address, so it just looks like it's coming from ebuyer.
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
Sent an e-mail to E-Buyer this morning. I wonder how long it will take for them to get in touch.
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
Well I got a reply from E-Buyer. It took them two days which I suppose is not to bad. However it was not very encourageing. Here is what it said.
As regards to the other issue you emailed me about I passed this over to our IT team who have advised information from the internet like MSN and other programs send information through 'ports' to your computer, these are like gates to the internet for your computer. The Norton program watches these gates to make sure nothing is sneaking in like a virus or Trojan (type of virus). A lot of normal legitimate things pass through these gates and Norton will flag them up as 'potential threats' when its harmless which is why the messages are popping up, you just need to check its something your familiar with and allow it.
A terrible reply. So I wrote back asking the IT department to contact me directly. Lets see what or if they reply.
Hi Niki , many thanks for the quick response and for the refund .
In the matter of the Trojans. I am fully aware of the workings of a
firewall and your reply baffled me. I use a McAfee firewall not a
Norton firewall. I realise that this is not your field and ask that
your IT department contact me with a expanation as to why a computer
from your company is trying to access my computer with at least seven
different trojan programs. Please see the attached screen shot.
As regards to the other issue you emailed me about I passed this over to our IT team who have advised information from the internet like MSN and other programs send information through 'ports' to your computer, these are like gates to the internet for your computer. The Norton program watches these gates to make sure nothing is sneaking in like a virus or Trojan (type of virus). A lot of normal legitimate things pass through these gates and Norton will flag them up as 'potential threats' when its harmless which is why the messages are popping up, you just need to check its something your familiar with and allow it.
A terrible reply. So I wrote back asking the IT department to contact me directly. Lets see what or if they reply.
Hi Niki , many thanks for the quick response and for the refund .
In the matter of the Trojans. I am fully aware of the workings of a
firewall and your reply baffled me. I use a McAfee firewall not a
Norton firewall. I realise that this is not your field and ask that
your IT department contact me with a expanation as to why a computer
from your company is trying to access my computer with at least seven
different trojan programs. Please see the attached screen shot.
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
A bit remiss of me to leave this so long. E-Buyer IT Support got back to me very quickly and here is what they said.
Dear Sir,
Thank you for your email, which has been passed to me to attempt to answer.
I appreciate your concerns regarding the seemingly inexplicable firewall entries on your computer which relate to the Ebuer.com image server (image.ebuyer.com)
First of all, please let me reassure you that these firewall log entries are not indicative of any malicious activity on the part of Ebuyer.com nor any other entity masquerading as ourselves.
The entries in your firewall log are simply records of "port probes", which are a normal activity linked with browsing the internet (and, in fact, with an internet connection itself).
Trojan horses and other malicious software target ports which are commonly open, as this tends to give them a greater chance of accessing your computer. For example, the Trojan Horse "Shiva Burka" is designed to target TCP port 1600 for it's attacks.
Your firewall is recognising a port probe on TCP port 1600, and as it is currently set to a very high level of security it is warning you of the possibility that this is a malicious attack by the Trojan Horse which most commonly targets this particular port.
If anything, this is simply confirmation that your firewall is performing it's function correctly (if a little over zealously) and should not be any cause for alarm.
With regard to the graphical representation of a trace route which you attached to your email, this shows the standard pattern of communication between your computer and our servers when you access our website and image server. The information request is sent from your computer to your ISP (Internet Service Providers) DNS server in Westminster which identifies the server responsible for providing the content requested. The request is then forwarded to our server in Sheffield, which responds with the information - via your ISP's servers.
I hope that this helps to alleviate your concerns, and that as a valued customer you will remain comfortable shopping securely online with Ebuyer.com
Marc Faulkner
Technical Support
Dear Sir,
Thank you for your email, which has been passed to me to attempt to answer.
I appreciate your concerns regarding the seemingly inexplicable firewall entries on your computer which relate to the Ebuer.com image server (image.ebuyer.com)
First of all, please let me reassure you that these firewall log entries are not indicative of any malicious activity on the part of Ebuyer.com nor any other entity masquerading as ourselves.
The entries in your firewall log are simply records of "port probes", which are a normal activity linked with browsing the internet (and, in fact, with an internet connection itself).
Trojan horses and other malicious software target ports which are commonly open, as this tends to give them a greater chance of accessing your computer. For example, the Trojan Horse "Shiva Burka" is designed to target TCP port 1600 for it's attacks.
Your firewall is recognising a port probe on TCP port 1600, and as it is currently set to a very high level of security it is warning you of the possibility that this is a malicious attack by the Trojan Horse which most commonly targets this particular port.
If anything, this is simply confirmation that your firewall is performing it's function correctly (if a little over zealously) and should not be any cause for alarm.
With regard to the graphical representation of a trace route which you attached to your email, this shows the standard pattern of communication between your computer and our servers when you access our website and image server. The information request is sent from your computer to your ISP (Internet Service Providers) DNS server in Westminster which identifies the server responsible for providing the content requested. The request is then forwarded to our server in Sheffield, which responds with the information - via your ISP's servers.
I hope that this helps to alleviate your concerns, and that as a valued customer you will remain comfortable shopping securely online with Ebuyer.com
Marc Faulkner
Technical Support
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
Still unsure as to what was going on I wrote back.
Hi Marc , thanks for the information. I do understand the reasons for
having a firewall and this is why mine is set on high.
What I do not understand is why these trojan attacks are originating
from your server.
Today I have accessed four sites with a view to buying pc components.
Your site is the only one that shows trojan attacks.
Trojans have to originate from someone and from somewhere.
Are you saying that these tojans do not originate from your server and
your company?
If they do originate form your company and server, what is their function ?
Thanks
Hi Marc , thanks for the information. I do understand the reasons for
having a firewall and this is why mine is set on high.
What I do not understand is why these trojan attacks are originating
from your server.
Today I have accessed four sites with a view to buying pc components.
Your site is the only one that shows trojan attacks.
Trojans have to originate from someone and from somewhere.
Are you saying that these tojans do not originate from your server and
your company?
If they do originate form your company and server, what is their function ?
Thanks
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
I got a reply the same day.
Dear Sir,
What your firewall log is recording is not a Trojan attack, it's simply a
port probe (a harmless part of day to day web browsing) and it just so
happens that the ports being probed are often exploited by Trojan Horses and
other malicious software attacks.
The port probes do originate from our image server, in the same way that
your firewall logs show port probes on other ports originating from other
servers - this is simply the way that the underlying TCP technology works to
make the internet a reality.
As an example, the final screenshot attached to your original email also
exhibits port probing originating from the archive.org and Wanadoo servers -
which simply means that you were likely accessing a web page or other online
resource which is made available using these servers. Your firewall is still
recording this activity, however it does not flag it as a threat as the
ports being probed are not associated with Trojan Horse or Malware activity.
If, for example, the Archive.org server had probed port 1600, It would flag
this up in the same manner.
I assure you that there is no malicious activity associated with these log
entries, they are simply indicative of an active internet connection.
Kind Regards,
Marc Faulkner
Technical Support
Tel: 0845 121 0523 (Ext 5597)
Fax: 0871 528 5001
Email: (e-mail address removed)
MSN: (e-mail address removed)
Address: Ebuyer (UK) Limited, Howden, East Yorkshire, DN14 7UW
Dear Sir,
What your firewall log is recording is not a Trojan attack, it's simply a
port probe (a harmless part of day to day web browsing) and it just so
happens that the ports being probed are often exploited by Trojan Horses and
other malicious software attacks.
The port probes do originate from our image server, in the same way that
your firewall logs show port probes on other ports originating from other
servers - this is simply the way that the underlying TCP technology works to
make the internet a reality.
As an example, the final screenshot attached to your original email also
exhibits port probing originating from the archive.org and Wanadoo servers -
which simply means that you were likely accessing a web page or other online
resource which is made available using these servers. Your firewall is still
recording this activity, however it does not flag it as a threat as the
ports being probed are not associated with Trojan Horse or Malware activity.
If, for example, the Archive.org server had probed port 1600, It would flag
this up in the same manner.
I assure you that there is no malicious activity associated with these log
entries, they are simply indicative of an active internet connection.
Kind Regards,
Marc Faulkner
Technical Support
Tel: 0845 121 0523 (Ext 5597)
Fax: 0871 528 5001
Email: (e-mail address removed)
MSN: (e-mail address removed)
Address: Ebuyer (UK) Limited, Howden, East Yorkshire, DN14 7UW
Abarbarian
Acruncher
- Joined
- Sep 30, 2005
- Messages
- 11,023
- Reaction score
- 1,221
I wrote back thanking the support dept for their quick and clear replies to my query.
I think that they did very well in answering my question and am quite impressed that they took the time and trouble to reply.
I think that they did very well in answering my question and am quite impressed that they took the time and trouble to reply.