View previous topic :: View next topic |
Author |
Message |
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Wed Jan 29, 2003 5:28 pm Post subject: I detected a trojan (HVLRat5 ) |
|
|
after installing Iptables with some better security than before I detected a trojan on my windows system !!
Code: |
Jan 27 17:51:15 sosso31 kernel: Packet NEW but not syn :IN=eth0 OUT=ppp0 SRC=192.168.0.60 DST=64.157.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=3506 DF PROTO=TCP SPT=2283 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
|
I have a lot of ACK + FIn packet to 64.157.10.10
192.168.0.60 is my windows system .
The windows machine is behind a Iptables firewall I installed 8 days ago.
I am a newbie in security , so how to do to remove the Trojan without installing an antivirus ? I wish to learn from myself .
And how a trojan infect my system ?
From an email
or From external intrusion ??
Thanks |
|
Back to top |
|
|
Chris W l33t
Joined: 25 Jun 2002 Posts: 972 Location: Brisbane, Australia
|
Posted: Wed Jan 29, 2003 10:11 pm Post subject: |
|
|
Are you sure that's a trojan... it's accessing a porn site web page. _________________ Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
Back to top |
|
|
digitalnick Apprentice
Joined: 30 Jun 2002 Posts: 243 Location: Lawrence KS USA
|
Posted: Wed Jan 29, 2003 11:27 pm Post subject: |
|
|
Quote: |
Jan 27 17:51:15 sosso31 kernel: Packet NEW but not syn :IN=eth0 OUT=ppp0 SRC=192.168.0.60 DST=64.157.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=3506 DF PROTO=TCP SPT=2283 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0
|
DPT=80 so destination port =80 thats a webpage
protocal is tcp
im at work so i cant verrify if tis a pr0n site or not but it really isnt looking like a trojen hwo did you determine it was HVLRat5 ? |
|
Back to top |
|
|
Matje l33t
Joined: 29 Oct 2002 Posts: 619 Location: Hasselt, Belgium
|
Posted: Thu Jan 30, 2003 1:08 am Post subject: |
|
|
I can imagine the fun conversations this 'll bring up at diner already _________________ Life is like a box of chocolates... Before you know it, it's empty... |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Thu Jan 30, 2003 12:06 pm Post subject: |
|
|
There was 5 attempt from my windows system to this Ip I just investigate the port source on a port List and on arachnids .
That's why I conclude to an Trojan .
sorry for the confusion
I will ask my grand mother to stop to go on porn site |
|
Back to top |
|
|
Chris W l33t
Joined: 25 Jun 2002 Posts: 972 Location: Brisbane, Australia
|
Posted: Thu Jan 30, 2003 11:18 pm Post subject: |
|
|
The lists of ports commonly used by trojans are mainly listening ports that the infected machine will have open waiting for incoming connections. You could run "netstat -an" in a Command Prompt window (assuming you have one) to see if there are listening ports on your trojan list.
For outbound traffic the source port is essentially a random number with no particular meaning. The important thing is where it trying to talk to. Your machine is attempting to connect to port 80 (the WWW server port) at address 64.157.10.10.
Given that it is a Windows machine most likely using IE, I'd look under Tools->Options at the Settings... for Temporary Internet Files. Select View Objects, and look for suspicious bits of downloaded and installed code. You can right click on each and view the properties to try and work out what each is. Warez and porn sites are notorious for installing code, and unwary users usually just press OK when prompted to allow install. _________________ Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Fri Jan 31, 2003 11:32 am Post subject: |
|
|
Ok thanks for this answer Chris
I have some TCP port who are in listening state , but not the 2283 !!
Thanks again |
|
Back to top |
|
|
|