Author Topic: Curious what microsoft has to say about this...  (Read 970 times)

Lenvda

  • Newbie
  • *
  • Posts: 1
  • Kudos: 0
Curious what microsoft has to say about this...
« on: 23 August 2003, 19:21 »
I use a utility to log all traffic on my win2k box, coz I know what a mess M$ their OS' are.
But I'm a sucker for games, and how sad it may be most games only available on winblows platform!! :(

Back to my logs...

[23/07/2003 13:29:29] ** A Hacker could be attempting to gain access using Rat on port 2283 (remote port: 443).
[23/07/2003 13:29:29] ** Incoming TCP connection from IP Address: 65.54.230.248
[23/07/2003 13:29:29] ** Connection established on port 2284 (remote port: 443).

I did a whois... and came to conclusion its a M$ IP address!!  :mad:  
I wrote a email to [email protected] , asking what happened once connection was established.
Mailed it as soon as I noticed it and waiting for a reply.

Because I'm not sure if I'm gonna get a reply, is there anybody here who might know what this traffic is all about?

Thanx in advance!!

Refalm

  • Administrator
  • Member
  • ***
  • Posts: 5,183
  • Kudos: 704
  • Sjembek!
    • RADIOKNOP
Curious what microsoft has to say about this...
« Reply #1 on: 23 August 2003, 21:33 »
For one thing, you can't trust Microsoft when it comes to privacy. They have every legal right to spy on you, because you agreed to the EULA when you installed Windows 2000.

One more thing: this thread belongs in the "Microsoft Operating Systems" section, I'm moving it there.

sime

  • Member
  • **
  • Posts: 242
  • Kudos: 4
    • http://www.azuro.com
Curious what microsoft has to say about this...
« Reply #2 on: 23 August 2003, 22:08 »
Hi Lenvda,

Port 443 is secure HTTP (SSL) aka https

Port 2283 is ...

2283    tcp     HVLRat5                 [trojan] HVL Rat5
2283    tcp     HvlRAT                  [trojan] Hvl RAT
2283    tcp     lnvstatus               LNVSTATUS
2283    udp     lnvstatus               LNVSTATUS

Details of the RAT 5 Trojan can be found here http://www.xploiter.com/security/rat.html

An nslookup of 65.54.230.248 returns the domain nexus.pasport.com

>65.54.230.248
Server:         192.168.1.2
Address:        192.168.1.2#53

Non-authoritative answer:
248.230.54.65.in-addr.arpa      name = nexus.passport.com.

Authoritative answers can be found from:
230.54.65.in-addr.arpa  nameserver = ns2.hotmail.com.
230.54.65.in-addr.arpa  nameserver = ns3.hotmail.com.
230.54.65.in-addr.arpa  nameserver = ns4.hotmail.com.
230.54.65.in-addr.arpa  nameserver = ns1.hotmail.com.
ns1.hotmail.com internet address = 216.200.206.140
ns2.hotmail.com internet address = 216.200.206.139
ns3.hotmail.com internet address = 209.185.130.68
ns4.hotmail.com internet address = 64.4.29.24

A whois of the domain name returns no results

[sime@ns sime]$ whois nexus.passport.com
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "NEXUS.PASSPORT.COM".

From what I have gleaned here I would suggest you block port 2283 with your firewall or if you are running an ADSL or CABLE Router / Modem set up an ACL or equivalent.

In general terms it would appear that a trojan called RAT was having a go at your box. Run a virus scanner and make sure the above port is shut on your firewall. Make sure you have a read of the site above and have a look see if you can find any other info about the trojan else where on the net.

Hope this helps   :D

Later

Sime
==================================================
If Linux doesn't have the solution, you have the wrong problem.
   
         Sime@04
==================================================

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
Curious what microsoft has to say about this...
« Reply #3 on: 24 August 2003, 04:03 »
you were probably visiting a passport site. when you visit a site, you get a port number to connect to, and then it randomly assigns you a port number it sends to. you got port 443 because the page you visited was an ssl site, and port 2283 just happens to be the port it chose.

but that's just my idea.

sime

  • Member
  • **
  • Posts: 242
  • Kudos: 4
    • http://www.azuro.com
Curious what microsoft has to say about this...
« Reply #4 on: 24 August 2003, 11:56 »
Hum I might be missing something here,

The 443 port was the port on the REMOTE machine the port 4223 was the port connected to on Lenvda's machine by the REMOTE machine. The connection was initiated by the REMOTE machine NOT by Lenvda's machine.

The $MS passport is potentially a much better idea of what may be happening than the RAT Trojan though (although it could be either). I would have thought that for passport, Lenvda would have to initiate the connection (and know he was doing it) but then we know that $MS are a bunch of toads who would have no qualms about initiating a connection without asking.

This link has some interesting information regarding $MS passport. Not surprisingly it's been hacked!

Check here for info http://alive.znep.com/~marcs/passport/index.html

Have fun

Sime
==================================================
If Linux doesn't have the solution, you have the wrong problem.
   
         Sime@04
==================================================

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
Curious what microsoft has to say about this...
« Reply #5 on: 24 August 2003, 12:04 »
he only posted once, i figured he was just a windows user who had a question. kinda paranoid, the local port is chosen by your computer randomly. he probably saw the warning (which was stupid and shouldn't have come up) and came here in fear. since he's probably a windows user, he probably checked his hotmail and got that. simple enough. the attacker's computer wouldn't designate a port for the connection under 1024 (include 443).

sime

  • Member
  • **
  • Posts: 242
  • Kudos: 4
    • http://www.azuro.com
Curious what microsoft has to say about this...
« Reply #6 on: 24 August 2003, 14:11 »
Absolutley,

ports below 1025 are reserved by the local system.
I just thought you were indicating things were the other way around (just me).

So what do you reckon passport or the RAT?

Later

Sime
==================================================
If Linux doesn't have the solution, you have the wrong problem.
   
         Sime@04
==================================================

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
Curious what microsoft has to say about this...
« Reply #7 on: 24 August 2003, 14:15 »
it's passport of course. could be from checking email or simply logging into msn messenger... or if it's msn internet it could be from logging onto the internet. microsoft wouldn't want to use a trojan to get into his computer... they have their own way in, and what could he have that they'd want?

hm_murdock

  • VIP
  • Member
  • ***
  • Posts: 2,629
  • Kudos: 378
  • The Lord of Thyme
Curious what microsoft has to say about this...
« Reply #8 on: 24 August 2003, 16:41 »
more money to feed the ENDLESS SPHERE OF CONSUMPTION aka stevie ballmer
Go the fuck ~

Stryker

  • VIP
  • Member
  • ***
  • Posts: 1,258
  • Kudos: 41
Curious what microsoft has to say about this...
« Reply #9 on: 24 August 2003, 20:50 »
quote:
Originally posted by Jimmy James is COOL:
more money to feed the ENDLESS SPHERE OF CONSUMPTION aka stevie ballmer


you mean... he wants more money? ok, let me go get my checkbook.