• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Bot activity IRC.Foonet.com assitance required

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
monolith
Just Arrived
Just Arrived


Joined: 23 Oct 2008
Posts: 0
Location: OZ

Offline

PostPosted: Thu Oct 23, 2008 2:23 pm    Post subject: Bot activity IRC.Foonet.com assitance required Reply with quote

Greetings everyone

@mods please move post to relevant topic if required

I have stumbled upon some suspicious network activity on a workstation on my Home network.

Unfortunately undetectably by many apps
NOD32 [with latest updates]
Spybot [latest updates]
Hijack this
sysinternals/MS rootkit detection

Here it goes:

While PC does not contain any viruses or malware as scans have come up negative both using Nod32 and Spybot both with latest definitions.

With further investigation using both tcpview and procexp [both sysinternal products] it showed the originator being a process svchost.exe frequently randomizing the port in all available rangers e.g. 1971,1972, 1973 555,556 using UDP protocol.

TCPview reports the remote address being gimmejizz.com:1311 when I first stumbled upon this it would stay a constant connection but has changed to established/disc/syn_sent/established. This was after force terminating the process and along with it the connection. It would not execute the process/connection again until 1-2hrs later.

Have also found as soon the process starts another intermittently svchost.exe executes but makes no external connection from what I can see.

As soon as all traffic is blocked by software based host firewall no more external connect attempts are displayed in either TCPview or wireshark.

Unable to determine what is calling on the svchost process at this stage.

4987 *REF* cogbox.lan gimmejizz.com TCP cplscrambler-in > rxmon [PSH, ACK] Seq=177 Ack=199 Win=65315 Len=22

0000 00 90 d0 1b dc 95 00 1d 7d 03 a9 3e 08 00 45 00 ........}..>..E.
0010 00 3e ee d4 40 00 80 06 9a d9 c0 a8 01 41 55 11 .>..@........AU.
0020 5a 11 04 3f 05 1f d2 94 e1 af 02 fb ef 96 50 18 Z..?..........P.
0030 ff 23 1d b4 00 00 50 4f 4e 47 20 3a 69 72 63 2e .#....PONG :irc.
0040 66 6f 6f 6e 65 74 2e 63 6f 6d 0d 0a foonet.com..

TCP stream:
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com
PING :irc.foonet.com
PONG :irc.foonet.com

Further investigation showed external connectiosn to jizzshow.com with randomizing ports [ns2.everydns.net.] >>>>>fiona.everybox.com
Possible this Netblock has been hijacked.

If someone is able to assist that would be great, Would like to be able to learn more about this type of subject.

Monolith[COG]
Australia
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Thu Oct 23, 2008 8:16 pm    Post subject: Reply with quote

It looks like you are infected. Exclamation

Visit our anti-malware forums for help:
http://www.security-forums.com/viewforum.php?f=48
Back to top
View user's profile Send private message
malwaresupport
Just Arrived
Just Arrived


Joined: 01 Apr 2009
Posts: 0


Offline

PostPosted: Wed Apr 01, 2009 5:52 pm    Post subject: Perfect Remedie Reply with quote

Hello, If you are infected by a bot you should consider downloading Norton Internet Security 2009 trial and running a full scan. This in my expert opinion should remove ALL bots and other infections from your computer.

email me if you require assistance: malwaresupport@hotmail.com
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Wed Apr 01, 2009 6:56 pm    Post subject: Reply with quote

Have they improved Norton at all with their 2009 version? I have tried most versions pre-2009 and they were all pigs when it came to eating resources. I also found them to be buggy - IE certain things would not work properly even if disabled the feature in Norton; they would not work properly until I uninstalled Norton.

I've had nothing but bad experiences with Norton.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register