unknown entry to PC

C

Cwonderboom

New Member
Joined
Apr 5, 2005
Messages
6
Reaction score
0
Does any one know way the following people?
OrgName: African Network Information Center
OrgID: AFRINIC
Address: CSIR/icomtek
Address: 43A
Address: PO Box 395
City: Pretoria
StateProv: Gauteng
PostalCode: 0001
Country: ZA
Keeps on trying to connect to my "ntoskrnl.exe" and "svchost.exe" files.
What kind of information are they looking for?
 
thats just the network address you looked up with nortons or something right?
to me it looks liek you could either have a zombie bot (irc bot/trojan that exploits pcs and tries to call home) or trojan or something. what port was it going for
 
right, firewall keep blocking it. if i trace them i can see they come thru about 3 other IP addresses some time thru WBS's own IP
local port 445
 
ok it could be one of two things, i need to know one more thing, if you press ctrl + alt + delete and look in the proccesses list do you see the proccess "ntoskrnl.exe"
 
yeah exactly, the attack is either routed through that pc without the user knowing or its an exploit bot and that IP is a victim with the bot scanning IPs around it and attempting to exploit
 
[post=178918]445 - probably someone that has not done this (click), or a genuine port scan if Norton says unknown penetration happened...[/post]
 
no but "ntoskrnl.exe" and "svchost.exe" are services that windows use it's the OS kernel file("ntoskrnl.exe"). if the information i got is right if they can connect to "svchost.exe" windows acts as an host to these people. only noticed this when i installed a deasend firewall.
 
ok yes obviously I know they're services, my point was that if that service was showing as a proccess then it is a fake service because it loads at boot time and is a windows child proccess so it wouldn't show, scvhost is a security layer and there are a few old exploits out there for it all were resolved with patches from early 2004 and SP2.

Nobody actually got access to your box, it was just an attempted attack picked up by your IDS, and an old attack at that. I suspect it was a exploit bot like rBot or SDbot (that scan IPs and automatically exploit holes found to spread and the bot masters control them through irc ussually to ddos or steal passwords from internet explorer cache). Of course your IDA may have spotted this attack but most exploits bots compile with at least 5 attacks so what you should do is use netstat from command line or an app liek netlimiter to see what applications are using the internet. If you see something funny in there connecting to IRC or some app with a windowsish name but readonly and hidden and not containing the microsoft information in the version tab of the properties then its safe to assume you have the exploit bot on your pc and its probably scanning for vuln pcs around you. These bots are not picked up by virus scanners because the source is released and each attacker modifies it to thier needs and compiles making a unique bot and they only ever infeact about max 10 000 people ussually way smaller so the info never gets to the big virus/worm companies.

you probably didn't get infected but if you did its hard to say what vulnerability it would have got in with because all the traffic is routed through a few windows ports liek 445.
 
On the Firewall subject, I am running WinXP Firewall, but is it actually any good? from what I have set up, I only allow connections to ports that I have approved/know what they are for. Do you guys reckon this is sufficient, or rather something like Sygate's PF?
 
Cwonderboom said:
right, firewall keep blocking it. if i trace them i can see they come thru about 3 other IP addresses some time thru WBS's own IP
local port 445
Click to expand...
I get about 1000-2000 of those hitting my firewall everyday . Dont worry about it , it happens
 
You might want to get copies of SpyBot, CounterSpy, AdAware and an Antivirus proggie, (I use Kaspersky) - and maybe 'regdefend' - a no system resources registry 'firewall' to prevent alterations - even with all these, installed latest BPS Spyware Remover & saw that my MIRC had picked up some backdoor.. No one program can really get 'everything' - so its useful to have an assortment of different ones that each have their own snooping methods .. as for firewall, I use zone alarm - but everyone has their own fave..
 
LoneGunman said:
You might want to get copies of SpyBot, CounterSpy, AdAware and an Antivirus proggie, (I use Kaspersky) - and maybe 'regdefend' - a no system resources registry 'firewall' to prevent alterations - even with all these, installed latest BPS Spyware Remover & saw that my MIRC had picked up some backdoor.. No one program can really get 'everything' - so its useful to have an assortment of different ones that each have their own snooping methods .. as for firewall, I use zone alarm - but everyone has their own fave..
Click to expand...

The biggest help is actually to use Firefox ;)
Stopped 90% of the crap i had with spyware and ad crap
 
yeah ad aware and spybot won't stop a single exploit bot

and to answer landyman's question: no, the windows xp firewall is crap and even has exploits out there for it, and since it never notifies you it is pretty flipping useless
 
slimothy said:
... and since it never notifies you it is pretty flipping useless
Click to expand...

Thats my concern ... I do run a firewall on my Wireless Router as well, but not too sure it is better than MS.

Well then, time to download some firewalls, over our 'fixed' network. :D
 
yeah, forgot to mention firefox, but thats a basic 'given'. Keep an eye out for W32.Elitper.B@mm - which specifically gets into your system and mainly lowers the security settings without you knowing.. another reason to get obsessive with non-OS-connected firewalls that cant be quietly dismantled as easily as the windows firewall..
 
if everyone switched to firefox tomorrow then tomorrow there would be a wave of firefox exploits (well there are a few already). people who write exploits just want a big payload so use what other people don't use but either way your system is alway vulnerable
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X