is my pc being used to launch DoS attacks ?

  • Thread starter Thread starter tarquinlinbin
  • Start date Start date
T

tarquinlinbin

I run xp pro and NIS and an external router for security. I noted this
evening that my pc was attempting to make outbound tcp connect
attempts to ip 194.226.151.220. This happens to be
www.siberiatravel.ur.ru the siberian tourist board website. There was
a repeated attempt via what must have been 100 or more ports
consecutively in the range 4000 onwards and in each case,the
implicated program was c:\windows\system32\flash.exe

I beleive that flash .exe is something to do with macromedia upgrade
but im not sure. I have run full system scans,used trojan
remover/detector in fact everything i can think of but nothing is
flagged up. Im sure something is going on!!!. Am i just being
paranoid?

By the way,has anyone heard of backdoor.smother ?

ta

joe
 
You shouldn't be seeing any connect attempts at all. The router should be
rendering your system invisible. Go to www.dslreports.com and use their
tools to run a port scan on your machine. You want your machine to be
completely stealthy. I don't have a router but I do have DSL modem and I
use Zone Alarm Pro as my firewall. When I run the port scan test from
dlsreports I always find my machine totally stealthy and undetected. Have
you sent email to the abuse department at the website these attacks are
originating from?
 
Kevin,

Are you aware of the recent vulnerabilities to Zone Alarm?

http://download.zonelabs.com/bin/free/securityAlert/8.html

I recommend keeping it, but get a DSL router as well.

Dennis A. Klaman
Electronic Security Architect

ZyberNetworks

You shouldn't be seeing any connect attempts at all. The router should be
rendering your system invisible. Go to www.dslreports.com and use their
tools to run a port scan on your machine. You want your machine to be
completely stealthy. I don't have a router but I do have DSL modem and I
use Zone Alarm Pro as my firewall. When I run the port scan test from
dlsreports I always find my machine totally stealthy and undetected. Have
you sent email to the abuse department at the website these attacks are
originating from?
 
You shouldn't be seeing any connect attempts at all. The router should be
rendering your system invisible. Go to www.dslreports.com and use their
tools to run a port scan on your machine. You want your machine to be
completely stealthy. I don't have a router but I do have DSL modem and I
use Zone Alarm Pro as my firewall. When I run the port scan test from
dlsreports I always find my machine totally stealthy and undetected. Have
you sent email to the abuse department at the website these attacks are
originating from?
Click to expand...
I'm not an expert but the connect attempts appear to be outgoing from
my pc rather than incoming!!,thats what worries me!
 
Uh oh! Download and run Spybot Search and Destroy, Ad-aware, Pest Patrol
and HiJack This! soon. Make sure you have your firewall configured to ask
permission for any and all outgoing or incoming traffic. You can then
decided if the traffic is legitimate and teach the firewall to allow only
the traffic you want.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm not an expert but the connect attempts appear to be outgoing from
my pc rather than incoming!!,thats what worries me!
Click to expand...

It could be a root kit. I can't see how else flow-controlled packets are
being sent from inside the router sock_stream unless someone has made
changes to your system.
Is the outgoing packet flow constant?







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAa2oxEdeTYUmVmnYRAuJHAKDUWME9EZRHN6tB3CE75OwgnWDrNQCg+kTA
Y/Ypg0Cfx79DAtbvg9zR8g4=
=PtaH
-----END PGP SIGNATURE-----
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


It could be a root kit. I can't see how else flow-controlled packets are
being sent from inside the router sock_stream unless someone has made
changes to your system.
Is the outgoing packet flow constant?
Click to expand...

There has been something insidious going on,,,

A few weeks ago i found my pc trying to make outgoing connects to
www.chronopay.com which i beleive is a legitamate e-commerce company.
It was the same pattern, a continual outgoing stream of connect
attempts continually trying consecutive port numbers. My firewall was
blocking the outgoing traffic on each port so it tried another and
another etc etc. AFAIK nothing escaped. I had an email supposedly
from someone at chronopay who said that someone was attempting to use
other pcs to launch DoS attacks on them,,this was in response to a
newsgroup query that i posted on the subject. The email may have been
fake,i dont know. That episode seemed to be linked to
www.truerecords.biz in some way. Because my pc was fully engaged in
using the firewall to prevent to outgoing attempts,it ran really
slow!!.

The latest seems to be linked with a running process called oriani.exe
which i have since killed and deleted becuase i think it is malicious
,also i found flash.exe and i deleted that. These items seemed to be
linked to these outgoing attacks on www.siberia.ur.ru . Again it was
trying on many consecutively numbered ports one after another and
failing.

My greatest concern is that oriani.exe and flash.exe and other items
are linked to these episodes. My concern is ,how did these items get
installed on my pc? . The only link is the internet. I suspect that
there really must be a backdoor trojan buried deep in my system which
is not being flagged by any of my security products. I've ran NIS full
scans, adaware,trojan remover,ive ran remote scans for virus on
symantecs website,ive ran several port probes etc. Quite a while ago
NIS flagged a file infected with backdoor.smother. I felt at the time
that this was a false trigger. Again i have no clue as to how it would
get onto my system. I dont use outlook express becuasse of its
insecurities, i really dont know what else i can do!!. I cant decide
whether there is a real issue or whether im going mad!!. The issue
remains, i n recent past i had noted spurious running processes which
sem linked to mutliport otgoing connect attempts to

a www.truerecords.biz
b www.chronopay.com
c www.siberia.ur.ru

It seems all i can do is continue to monitor and see what happens!
 
tarquinlinbin rambled on in microsoft.public.windowsxp.help_and_support:
I run xp pro and NIS and an external router for security. I noted this
evening that my pc was attempting to make outbound tcp connect
attempts to ip 194.226.151.220. This happens to be
www.siberiatravel.ur.ru the siberian tourist board website. There was
a repeated attempt via what must have been 100 or more ports
consecutively in the range 4000 onwards and in each case,the
implicated program was c:\windows\system32\flash.exe

I beleive that flash .exe is something to do with macromedia upgrade
but im not sure. I have run full system scans,used trojan
remover/detector in fact everything i can think of but nothing is
flagged up. Im sure something is going on!!!. Am i just being
paranoid?

By the way,has anyone heard of backdoor.smother ?

ta

joe
Click to expand...

I have Macromedia Flash installed and do not have that file....I'd just
rename it to flash.ex_ and wait to see if anything stops working also you can
right click it select properties then the version tab it'll give you info on
who wrote it.
 
Back
Top