Re: netstat finds something strange?

From: nightspore (nightspore@hotmail.com)
Date: 01/21/03 

From: "nightspore" <nightspore@hotmail.com>
Date: Tue, 21 Jan 2003 04:32:27 GMT

Hi Mike,

Thanks for all the help!

It did turn out to be the hosts file which I had just downloaded and
installed last week. It had several 0.0.0.0. somesite.com's of which 0.0.0.0
banners.ims.nl was the first on the list. So I changed all the 0.0.0.0's to
127.0.0.1 and it works fine now.

Bill

"Mike" <mjl000@hotmail.com> wrote in message
news:081X9.101$1J2.14@newssvr19.news.prodigy.com...
> I dunno about heuristics or viruses or trojans (I'm no expert), but this
is
> interesting. First, you noticed that no remote IP address is
> opened/maintained, but each common port on you system is ready and
listening
> for traffic from banners.ims.nl (in the Netherlands). Sounds like a
> compromise of the ASP/.NET code to allow your PC to sit as a
waiting/sitting
> machine for use in the future or possibly a scanning/replication tool so
that
> all your traffic also gets redirected through or replicated to the name
> listed. The reason they may not use an IP address is simple, they expect
> their IP address to change or be blocked on a regular basis - so they use
a
> domain name.
>
> Normally, when not maintaining an active TCP connection, your PC
> should have your PC name as the name listening on each different port. So
you
> should see something like this:
> TCP shakespeare:http shakespeare:0 LISTENING
> To help ensure your PC does this, make sure your HOSTS file in
> %system%\system32\drivers\etc is set so that 127.0.0.1 is localhost and
first
> on the
> list. Add banners.ims.nl in the hosts file for 127.0.0.1 so that anytime
your
> system attempts to send something to banners.ims.nl, it goes to 127.0.0.1.
> Also check your NETWORKS and LMHOSTS files for modifications
> (check the date of the file and look for anything suspicious).
>
> Other recommendations: Disconnect your system from the Internet
(temporarily),
> document everything and send appropriate info to leaseweb.nl. (If they
don't
> respond in a reasonable amount of time - contact RIPE.NET) Then disable
the
> .NET/ASP code (rename it if necessary) don't delete it and contact
Microsoft
> about the information. Also change permissions on the file that allow
> system/batch/other access, and only allow an Administrator account to use
that
> file. (Why allow it even if you don't see any "harm" in it? It's sitting
> ready to do some job.)
> Doing a simple nslookup shows that this IP address for banners.ims.nl is
> 62.212.77.215, in the
> block of IP addresses for www.leaseweb.nl.
> See/query the DB at RIPE.NET
>
http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtex
t=
> 62.212.77.215&do_search=Search
>
> inetnum: 62.212.77.0 - 62.212.77.255
> netname: LEASEWEB
> descr: LeaseWeb
> descr: P.O. Box 616
> descr: 3500AP, Utrecht
> descr: Netherlands
> descr: www.leaseweb.nl
> remarks: Please send email to "abuse@leaseweb.nl" for complaints
> remarks: regarding portscans, DoS attacks and spam.
> country: NL
> admin-c: ZCA1-RIPE
> tech-c: LT303-RIPE
> status: ASSIGNED PA
> changed: ripe@leaseweb.nl 20020220
> mnt-by: LEASEWEB-MNT
> source: RIPE
>
>
> "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message
> news:##h$dTMwCHA.2396@TK2MSFTNGP10...
> > Well, for starters, you should consider uninstalling the Simple TCP/IP
> > services and SNMP from control panel, add remove programs, add remove
> > windows components. Since these things were enabled, you probably
haven't
> > done other things you may want to do to make your computer more secure:
> >
> > http://securityadmin.info/faq.htm#harden
> >
> > This is especially important since you've got IIS web and FTP services
> > running... this is not something you want to do with the default
settings.
> > Danger danger will robinson! Disable these if you're not using them, or
> > harden them if you are via the above link.
> >
> > The free pest patrol scanner just looks for port numbers that are open
> > without confirming whether it's really a trojan, and heuristic scans in
> > general cause more false alarms.
> >
> > If you had been hacked, you would probably see signs of it here:
> >
> > http://securityadmin.info/faq.htm#hacked
> >
> > ... starting with Vision from www.foundstone.com/knowledge to see what
> > program is listening on all those ports. Those Netstat results do look
> > strange.
> >
> > You also want firewall, if you don't already, such as www.sygate.com
which
> > is free.
> >
> >
> > "nightspore" <nightspore@hotmail.com> wrote in message
> > news:McXW9.79561$H7.3627044@news2.calgary.shaw.ca...
> > > What the heck kind of virus or trojan does this. A heuristic scan with
> > pest
> > > control says I have IROffer. But the suspect file looks harmless. It
is a
> > > VB.net file generated by a Asp.net application and really does
nothing.
> > Also
> > > a normal non-heuristic scan on my machine with Pest Control finds
nothing.
> > > Norton found nothing as well. A Google search of IROffer and
> > banners.ims.nl
> > > comes up
> > > with nothing of value.
> > >
> > > If I do a netstat -an the foreign IP is 0.0.0.0:0 which makes me feel
a
> > > little better. But whats with the weird foreign address? Any ideas?
> > >
> > > Proto Local Address Foreign Address State
> > > TCP shakespeare:echo banners.ims.nl:0 LISTENING
> > > TCP shakespeare:discard banners.ims.nl:0 LISTENING
> > > TCP shakespeare:daytime banners.ims.nl:0 LISTENING
> > > TCP shakespeare:qotd banners.ims.nl:0 LISTENING
> > > TCP shakespeare:chargen banners.ims.nl:0 LISTENING
> > > TCP shakespeare:ftp banners.ims.nl:0 LISTENING
> > > TCP shakespeare:smtp banners.ims.nl:0 LISTENING
> > > TCP shakespeare:http banners.ims.nl:0 LISTENING
> > > TCP shakespeare:epmap banners.ims.nl:0 LISTENING
> > > TCP shakespeare:https banners.ims.nl:0 LISTENING
> > > TCP shakespeare:microsoft-ds banners.ims.nl:0 LISTENING
> > > TCP shakespeare:1025 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:1026 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:1029 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:1030 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:1034 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:1801 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:2103 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:2105 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:2107 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:3372 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:3880 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:3882 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:3885 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:1032 banners.ims.nl:0 LISTENING
> > > TCP shakespeare:netbios-ssn banners.ims.nl:0 LISTENING
> > > TCP shakespeare:3622 banners.ims.nl:0 LISTENING
> > > UDP shakespeare:echo *:*
> > > UDP shakespeare:discard *:*
> > > UDP shakespeare:daytime *:*
> > > UDP shakespeare:qotd *:*
> > > UDP shakespeare:chargen *:*
> > > UDP shakespeare:epmap *:*
> > > UDP shakespeare:snmp *:*
> > > UDP shakespeare:microsoft-ds *:*
> > > UDP shakespeare:1027 *:*
> > > UDP shakespeare:1028 *:*
> > > UDP shakespeare:1031 *:*
> > > UDP shakespeare:3456 *:*
> > > UDP shakespeare:3527 *:*
> > > UDP shakespeare:netbios-ns *:*
> > > UDP shakespeare:netbios-dgm *:*
> > > UDP shakespeare:isakmp *:*
> > >
> > >
> > > TIA
> > > Bill
> > >
> > >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
> >
> >
>
>
>
>