Author Topic: Windows is hacking me non-stop! Very weird...  (Read 912 times)

Lennon

  • Member
  • **
  • Posts: 59
  • Kudos: 0
Windows is hacking me non-stop! Very weird...
« on: 30 September 2003, 21:28 »
I didn't manage to download a firewall and as soon as I connected and started downloading the sygate personal firewall (free and good firewall) i noticed that by the end of the 1mb download I had uploaded 40mb to someplace. So I got the firewall running and this thing was sending to some 239.255.255.250. After a search I found it had to do something with local networks but I had some SVCHOST.exe sending data there constantly. So i block it in the firwall.
Now the really weird thing. Some DLLHOST.exe file starts uploading like mad instead. I block it too and now after 6mb of uploaded data it stopped. It started uploading to EVERY IP starting with 62.193 62.192 62.191 62.190 or so I think. It keeps trying 100 IPs in a second but i blocked it. Even blocked, it is wasting my internet connection and its realllly slow. I can hardly use the damn thing.
I also got a file access monitor to see if it was drawing any files off my machine. I found that when I started IE it scanned my desktop and my whole C drive for data structure, and then opened the infamous CONTENT.IE/INDEX.DAT file and wrote to it. I'll deal with that later. But this is obviously all part of IE. Also it was accessing files so quickly i couldnt really catch what it was doing (the log file grows huge and the peice o sh*t is slow). I don't think it scanned my D drive.

Anyway, i never heard of this happening before. Am I being hacked? Why is this happening? I also found some remote PC control programs are in use some WMBP , Koreg authentication, object.something files bla bla...

I just came here to find out how to get linux back up and running cos i really need the net (i'm a webmaster!) and window$ is not only shit but I can't use the net at all. (You can help me with that problem in the Linux fourm, cheers)
Peace out.

Lennon

  • Member
  • **
  • Posts: 59
  • Kudos: 0
Windows is hacking me non-stop! Very weird...
« Reply #1 on: 30 September 2003, 22:29 »
now it stopped switching IPs and landed at

(port 8)

62.191.169.172

GeekTools Whois Proxy v5.0.2 Ready.
Checking access for 62.193.130.XX... ok. /* << my ip */
Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      62.191.0.0 - 62.191.255.255
netname:      EU-UUNET-991026
descr:        UUNET UK (Formerly PIPEX)
descr:        PROVIDER
country:      GB
admin-c:      WERT1-RIPE
tech-c:       UPHM1-RIPE
status:       ALLOCATED PA
remarks:      Please send abuse notification to [email protected]
notify:       [email protected]
mnt-by:       RIPE-NCC-HM-MNT
mnt-by:       AS1849-MNT
changed:      [email protected] 19991026
changed:      [email protected] 20000229
changed:      [email protected] 20000713
changed:      [email protected] 20030513 # eu.uunet.ton via https://lirportal.ripe.net
source:       RIPE

role:         WCOM EMEA Registrar Team
address:      UUNET
address:      EMEA Network Services
address:      J. Muyskenweg 22
address:      NL-1096 CJ Amsterdam
address:      The Netherlands
phone:        +31 20 711 6000
fax-no:       +31 20 711 6001
e-mail:       [email protected]
admin-c:      SC301-RIPE
admin-c:      TONE1-RIPE
admin-c:      AK111-RIPE
admin-c:      HTV5-RIPE
tech-c:       SC301-RIPE
tech-c:       TONE1-RIPE
tech-c:       AK111-RIPE
tech-c:       HTV5-RIPE
nic-hdl:      WERT1-RIPE
notify:       [email protected]
mnt-by:       AS1849-MNT
changed:      [email protected] 20030202
source:       RIPE

role:         PIPEX Hostmaster
address:      UUNET UK
address:      Internet House
address:      330 Science Park
address:      Milton Road
address:      Cambridge
address:      CB4 4BZ
address:      UK
phone:        +44 1223 250122
fax-no:       +44 1223 250133
e-mail:       [email protected]
trouble:      Telephone number available 24x7
admin-c:      WERT1-RIPE
tech-c:       WERT1-RIPE
nic-hdl:      UPHM1-RIPE
remarks:      UUNET UK
mnt-by:       AS1849-MNT
changed:      [email protected] 19971009
changed:      [email protected] 19971111
changed:      [email protected] 19980402
changed:      [email protected] 19981214
changed:      [email protected] 20000224
source:       RIPE
notify:       [email protected]
changed:      [email protected] 20030605
Peace out.

flap

  • Member
  • **
  • Posts: 1,268
  • Kudos: 137
Windows is hacking me non-stop! Very weird...
« Reply #2 on: 30 September 2003, 22:34 »
Where is this dllhost.exe file?
"While envisaging the destruction of imperialism, it is necessary to identify its head, which is none other than the United States of America." - Ernesto Che Guevara

http://counterpunch.org
http://globalresearch.ca


Lennon

  • Member
  • **
  • Posts: 59
  • Kudos: 0
Windows is hacking me non-stop! Very weird...
« Reply #3 on: 30 September 2003, 22:42 »
c:\windows\system32
c:\windows\system32\wins
Peace out.

flap

  • Member
  • **
  • Posts: 1,268
  • Kudos: 137
Windows is hacking me non-stop! Very weird...
« Reply #4 on: 30 September 2003, 22:46 »
what are the creation dates on those two files?
"While envisaging the destruction of imperialism, it is necessary to identify its head, which is none other than the United States of America." - Ernesto Che Guevara

http://counterpunch.org
http://globalresearch.ca


Lennon

  • Member
  • **
  • Posts: 59
  • Kudos: 0
Windows is hacking me non-stop! Very weird...
« Reply #5 on: 30 September 2003, 22:50 »
first one was modified on 23/08/2001
second (in wins directory) was modified (probably created too) on 28/09/2003

the first one is 5KB
second one is 10KB
Peace out.

Lennon

  • Member
  • **
  • Posts: 59
  • Kudos: 0
Windows is hacking me non-stop! Very weird...
« Reply #6 on: 30 September 2003, 22:54 »
in this wins directory, there is only that other file svchost.exe which is also sending stuff but only to that signle IP i mentioned.

dllhost seems to be searching for an IP similar to mine (first two digits) and it was just sending to IPs starting with 202.98. (i think those were the numbers)
Peace out.

flap

  • Member
  • **
  • Posts: 1,268
  • Kudos: 137
"While envisaging the destruction of imperialism, it is necessary to identify its head, which is none other than the United States of America." - Ernesto Che Guevara

http://counterpunch.org
http://globalresearch.ca


mobrien_12

  • VIP
  • Member
  • ***
  • Posts: 2,138
  • Kudos: 711
    • http://www.geocities.com/mobrien_12
Windows is hacking me non-stop! Very weird...
« Reply #8 on: 30 September 2003, 23:10 »
quote:
Originally posted by flap:
http://www.pchell.com/virus/welchia.shtml


Yep.  

Lennon, it looks like in the time it took you to download a firewall, you were infected with a worm.

The very first thing you should download is all the security patches for any OS install.
In brightest day, in darkest night, no evil shall escape my sight....

Lennon

  • Member
  • **
  • Posts: 59
  • Kudos: 0
Windows is hacking me non-stop! Very weird...
« Reply #9 on: 30 September 2003, 23:30 »
Ah yes those viruses. Windoze is full of them. I just cant grasp how it got there, but hey. Maybe it was from an old download of Kazaa Lite which I installed or an OpenOffice windows version(it was on a CD). Kazaa is the prime suspect i suppose?

Anyway, thanks a lot, i removed it and it seems fine now. I did it without system restore so i hope the worm wont resurect...

What do you think were those 40 megs of uploaded data? Just searching for victims or were they downloading my mp3s or something    ?
Peace out.

TheQuirk

  • VIP
  • Member
  • ***
  • Posts: 2,154
  • Kudos: 315
Windows is hacking me non-stop! Very weird...
« Reply #10 on: 1 October 2003, 01:15 »
No. It was a worm. You didn't install anything (and that's the problem--you needed to install security patches   ).

mobrien_12

  • VIP
  • Member
  • ***
  • Posts: 2,138
  • Kudos: 711
    • http://www.geocities.com/mobrien_12
Windows is hacking me non-stop! Very weird...
« Reply #11 on: 1 October 2003, 02:10 »
quote:
Originally posted by Lennon:

Anyway, thanks a lot, i removed it and it seems fine now. I did it without system restore so i hope the worm wont resurect...

What do you think were those 40 megs of uploaded data? Just searching for victims or were they downloading my mp3s or something     ?




Quirk is right.  This was not a virus.  It was a worm.  Think of it as an automated script kiddie self replicating and hacking into all winNT/2k/xp machines connected to the internet without any action on your part.  Unless you patch (http://windowsupdate.microsoft.com, accessible only through MSIE) you will get it, or a variant, again.

No matter what OS you run you must apply security patches if it is to be connected to the internet.

This particular worm was a well meaning attempt at  countering the msblast worm, but it causes a bunch of problems by iteself.  All that data was it trying to copy versions of itself, as well as the patch, to other computers.
In brightest day, in darkest night, no evil shall escape my sight....

flap

  • Member
  • **
  • Posts: 1,268
  • Kudos: 137
Windows is hacking me non-stop! Very weird...
« Reply #12 on: 1 October 2003, 02:25 »
quote:
Unless you patch http://windowsupdate.microsoft.com, accessible only through MSIE) you will get it, or a variant, again.


Not if he has a firewall. It doesn't matter how buggy your system is if it isn't open to the outside world. Unless the firewall is buggy too.
"While envisaging the destruction of imperialism, it is necessary to identify its head, which is none other than the United States of America." - Ernesto Che Guevara

http://counterpunch.org
http://globalresearch.ca


Windows_SuX_@$$

  • Member
  • **
  • Posts: 233
  • Kudos: 0
Windows is hacking me non-stop! Very weird...
« Reply #13 on: 1 October 2003, 02:51 »
Why even bother with it?

Just try linux, It's FREE
Signatures can appear at the bottom of your posts. This option may be disabled by the message board administrators at any time, however. You may use UBB Code in your signature, but not HTML. UBBCode Images are permitted.

hm_murdock

  • VIP
  • Member
  • ***
  • Posts: 2,629
  • Kudos: 378
  • The Lord of Thyme
Windows is hacking me non-stop! Very weird...
« Reply #14 on: 1 October 2003, 11:27 »
he just said that he's about to get Linux back on the box
Go the fuck ~