Re: netstat finds something strange?

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 01/22/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 21 Jan 2003 20:32:29 -0500

Oh, OK... so that probably wasn't hacking. Netstat reports the destination
address as 0.0.0.0, and your anti-hacking hosts file resolves that as
banners.ims.nl, so that's how Netstat displays it. 0.0.0.0 in your hosts
file is a way to block your computer from connecting to that computer, by
routing the responses nowhere.

"nightspore" <nightspore@hotmail.com> wrote in message
news:v34X9.81293$H7.3710307@news2.calgary.shaw.ca...
> Hi Mike,
>
> Thanks for all the help!
>
> It did turn out to be the hosts file which I had just downloaded and
> installed last week. It had several 0.0.0.0. somesite.com's of which
0.0.0.0
> banners.ims.nl was the first on the list. So I changed all the 0.0.0.0's
to
> 127.0.0.1 and it works fine now.
>
> Bill
>
> "Mike" <mjl000@hotmail.com> wrote in message
> news:081X9.101$1J2.14@newssvr19.news.prodigy.com...
> > I dunno about heuristics or viruses or trojans (I'm no expert), but this
> is
> > interesting. First, you noticed that no remote IP address is
> > opened/maintained, but each common port on you system is ready and
> listening
> > for traffic from banners.ims.nl (in the Netherlands). Sounds like a
> > compromise of the ASP/.NET code to allow your PC to sit as a
> waiting/sitting
> > machine for use in the future or possibly a scanning/replication tool so
> that
> > all your traffic also gets redirected through or replicated to the name
> > listed. The reason they may not use an IP address is simple, they
expect
> > their IP address to change or be blocked on a regular basis - so they
use
> a
> > domain name.
> >
> > Normally, when not maintaining an active TCP connection, your PC
> > should have your PC name as the name listening on each different port.
So
> you
> > should see something like this:
> > TCP shakespeare:http shakespeare:0 LISTENING
> > To help ensure your PC does this, make sure your HOSTS file in
> > %system%\system32\drivers\etc is set so that 127.0.0.1 is localhost and
> first
> > on the
> > list. Add banners.ims.nl in the hosts file for 127.0.0.1 so that anytime
> your
> > system attempts to send something to banners.ims.nl, it goes to
127.0.0.1.
> > Also check your NETWORKS and LMHOSTS files for modifications
> > (check the date of the file and look for anything suspicious).
> >
> > Other recommendations: Disconnect your system from the Internet
> (temporarily),
> > document everything and send appropriate info to leaseweb.nl. (If they
> don't
> > respond in a reasonable amount of time - contact RIPE.NET) Then disable
> the
> > .NET/ASP code (rename it if necessary) don't delete it and contact
> Microsoft
> > about the information. Also change permissions on the file that allow
> > system/batch/other access, and only allow an Administrator account to
use
> that
> > file. (Why allow it even if you don't see any "harm" in it? It's
sitting
> > ready to do some job.)
> > Doing a simple nslookup shows that this IP address for banners.ims.nl is
> > 62.212.77.215, in the
> > block of IP addresses for www.leaseweb.nl.
> > See/query the DB at RIPE.NET
> >
>
http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtex
> t=
> > 62.212.77.215&do_search=Search
> >
> > inetnum: 62.212.77.0 - 62.212.77.255
> > netname: LEASEWEB
> > descr: LeaseWeb
> > descr: P.O. Box 616
> > descr: 3500AP, Utrecht
> > descr: Netherlands
> > descr: www.leaseweb.nl
> > remarks: Please send email to "abuse@leaseweb.nl" for complaints
> > remarks: regarding portscans, DoS attacks and spam.
> > country: NL
> > admin-c: ZCA1-RIPE
> > tech-c: LT303-RIPE
> > status: ASSIGNED PA
> > changed: ripe@leaseweb.nl 20020220
> > mnt-by: LEASEWEB-MNT
> > source: RIPE
> >
> >
> > "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message
> > news:##h$dTMwCHA.2396@TK2MSFTNGP10...
> > > Well, for starters, you should consider uninstalling the Simple TCP/IP
> > > services and SNMP from control panel, add remove programs, add remove
> > > windows components. Since these things were enabled, you probably
> haven't
> > > done other things you may want to do to make your computer more
secure:
> > >
> > > http://securityadmin.info/faq.htm#harden
> > >
> > > This is especially important since you've got IIS web and FTP services
> > > running... this is not something you want to do with the default
> settings.
> > > Danger danger will robinson! Disable these if you're not using them,
or
> > > harden them if you are via the above link.
> > >
> > > The free pest patrol scanner just looks for port numbers that are open
> > > without confirming whether it's really a trojan, and heuristic scans
in
> > > general cause more false alarms.
> > >
> > > If you had been hacked, you would probably see signs of it here:
> > >
> > > http://securityadmin.info/faq.htm#hacked
> > >
> > > ... starting with Vision from www.foundstone.com/knowledge to see what
> > > program is listening on all those ports. Those Netstat results do
look
> > > strange.
> > >
> > > You also want firewall, if you don't already, such as www.sygate.com
> which
> > > is free.
> > >
> > >
> > > "nightspore" <nightspore@hotmail.com> wrote in message
> > > news:McXW9.79561$H7.3627044@news2.calgary.shaw.ca...
> > > > What the heck kind of virus or trojan does this. A heuristic scan
with
> > > pest
> > > > control says I have IROffer. But the suspect file looks harmless. It
> is a
> > > > VB.net file generated by a Asp.net application and really does
> nothing.
> > > Also
> > > > a normal non-heuristic scan on my machine with Pest Control finds
> nothing.
> > > > Norton found nothing as well. A Google search of IROffer and
> > > banners.ims.nl
> > > > comes up
> > > > with nothing of value.
> > > >
> > > > If I do a netstat -an the foreign IP is 0.0.0.0:0 which makes me
feel
> a
> > > > little better. But whats with the weird foreign address? Any ideas?
> > > >
> > > > Proto Local Address Foreign Address State
> > > > TCP shakespeare:echo banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:discard banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:daytime banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:qotd banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:chargen banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:ftp banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:smtp banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:http banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:epmap banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:https banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:microsoft-ds banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:1025 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:1026 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:1029 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:1030 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:1034 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:1801 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:2103 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:2105 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:2107 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:3372 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:3880 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:3882 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:3885 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:1032 banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:netbios-ssn banners.ims.nl:0 LISTENING
> > > > TCP shakespeare:3622 banners.ims.nl:0 LISTENING
> > > > UDP shakespeare:echo *:*
> > > > UDP shakespeare:discard *:*
> > > > UDP shakespeare:daytime *:*
> > > > UDP shakespeare:qotd *:*
> > > > UDP shakespeare:chargen *:*
> > > > UDP shakespeare:epmap *:*
> > > > UDP shakespeare:snmp *:*
> > > > UDP shakespeare:microsoft-ds *:*
> > > > UDP shakespeare:1027 *:*
> > > > UDP shakespeare:1028 *:*
> > > > UDP shakespeare:1031 *:*
> > > > UDP shakespeare:3456 *:*
> > > > UDP shakespeare:3527 *:*
> > > > UDP shakespeare:netbios-ns *:*
> > > > UDP shakespeare:netbios-dgm *:*
> > > > UDP shakespeare:isakmp *:*
> > > >
> > > >
> > > > TIA
> > > > Bill
> > > >
> > > >
> > >
> > >
> > > ---
> > > Outgoing mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
> > >
> > >
> >
> >
> >
> >
>
>
>