PDA

View Full Version : I'm under attack!


Chris
16-08-2003, 00:14
All evening my firewall has been constantly repelling attempts to get at my poor Mac ... from when I switched on at about 7.45 until I restarted it just now. My internet has been uselessly slow.

I don't know too much about these things but I had a suspicion that if I rebooted and acquired myself a new IP address the problem might go away. So far, it seems to have worked.

Strange thing is, virtually all the attempts came from within the ntl network, if I'm reading my access log right (it's attached). Anyone have a clue what this is all about?

Mick
16-08-2003, 00:20
Who knows :shrug: but could be MSblast related, it seems to have an hidden agenda, one thats going to be unleashed tonight at midnight when those still infected with the worm and connected to web, that will 'blast' (reason behind its name) data to the microsoft website in a bid to crash the system.

Xaccers
16-08-2003, 00:22
Port 135, likely to be msblast (aren't you glad you bought a mac?)

Chris
16-08-2003, 00:27
Originally posted by Xaccers
Port 135, likely to be msblast (aren't you glad you bought a mac?)

:D :D :D :p :D :D :D

I am indeed tres, tres smug ... but then Mac geeks usually are. ;)

Xaccers
16-08-2003, 01:23
Yeah, must be good to be so insignificant no one bothers with you :D
mumble mumble can't right mouse click mumble mumble :D

Lord Nikon
16-08-2003, 01:49
One comment about the mac....

and it's on this page...
http://www.deadtroll.com/video/livehelldesk.html

right at the end :)

Atomic22
21-08-2003, 21:20
some of us with older (but nicer) versions of windows (98se) are not affected by the blast virus and also have all 3 mouse keys to play with and so therefore we feel really smug

Z4pp4
21-08-2003, 21:52
Towny

I am also getting battered on destination port 135, the connection is hopelessly slow, 99% from NTL customers, plus repetitive CyberKit 2.2 hits..
Its crap, the Microsoft product is totally venerable when connecting to the internet by itâ₠¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢s self and itâ₠¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢s clogging up network traffic.

Blame Kazaa users for clogging up the network †œmy backsideââ‚ ‚¬Ã‚

Ban micro$oft users from using up bandwidth with flaky software.

Fr4nk

Z4pp4
21-08-2003, 22:19
Infected by the MSBlast Internet Worm ... ISPs everywhere are blocking all port 135 traffic in an attempt to slow the worm's growth

Obviously not NTL

Fr4nk
:mad:

homealone
21-08-2003, 22:29
Originally posted by Atomic22
some of us with older (but nicer) versions of windows (98se) are not affected by the blast virus and also have all 3 mouse keys to play with and so therefore we feel really smug

well we are a bit affected, because of all the extra traffic.

one persistent entry in my firewall log resolves as

youhavetheblasterworm.ntli.net

- and I am on 98se:D

- presumably this is the welchi worm.?

- anyone had sobig.f yet?

Steve H
21-08-2003, 22:48
Well I reinstalled XP Pro For my mate tonight, and about 20 seconds after re-connecting to the internet , the Blast worm was on his computer... Although, It rebooted Once, then I went to Remove it, It'd already gone!, Me thinks the Anti Virus Virus was there somewhere :p

XFS03
21-08-2003, 23:05
Originally posted by Steve_NTL
Well I reinstalled XP Pro For my mate tonight, and about 20 seconds after re-connecting to the internet , the Blast worm was on his computer...
Didn't you turn on XP's firewall before connecting to the internet?

Steve H
21-08-2003, 23:31
No - Didnt even think about it.

kronas
22-08-2003, 01:14
Originally posted by Steve_NTL
No - Didnt even think about it.

lmfao big mistake :rofl: :rofl: :rofl:

well you know what to do about it :p

Lord Nikon
22-08-2003, 07:33
Not knowing much about the mac, why not see if you can stealth port 135, the reason the worms try multiple times with you is that they get a reply on that port address, so they try to force their way in. If the port doesn't respond, they assume no machine and move on.

(3 port stages
Open - traffic is allowed through
Closed - Traffic is blocked and a reply is given saying the port is closed
Stealthed - Traffic is blocked and no acknowlegement is given

Stealthed is the best, as far as the attacking machine knows there is no computer on that IP address at all)

SMHarman
22-08-2003, 10:57
Originally posted by homealone
<snip>

- anyone had sobig.f yet?

I can proudly say I got it on Tuesday. The Missus opened a copy of it. Then went Oh poo I've been duped. Virus patterns updated that morning, still was not stopped.

Had to lock down zone alarm and track down the rogue program. Luckily it was not an essential ms file (like blast).

Put the file on a disk and then got restarted.

Its a powerful mailer. My 600k connection and AMD2400 managed to send about 150mails in the 2 minutes it was running.

Bit worried about this trojan thing. Is that killed off once the file is deleted and the registary updated?

I've run the Norton cleaner, and PCCillin says I'm clean, but when I start up I get some strange message still.

Lord Nikon
22-08-2003, 11:07
Care to elaborate on the strange bootup messages? I may be able to help

SMHarman
22-08-2003, 11:39
Originally posted by Lord Nikon
Care to elaborate on the strange bootup messages? I may be able to help

It looks like a PCCillin message once XP is open and the profile loaded.

A message box about 2in square - no title.

Foreign chars then w32.sobig.f.exe or something like that.

An OK box.

Press OK and it goes away.

Parts of PCCillin are also displaying in foreign chars at the mo also. I'm running the comp copy that came with my ASUS mobo. Properly registered and free updates for a year. Even with the POP2Trap it still missed it as I was an early adopter.

PCCillin and Norton say I don't have the virus, but as you can see I did a bit of a manual removal.

Dare I say I should close my internet connection, reinstall the virus and then remove it again?

Would give you a screen shot with the ox, but I am not on that PC.

Lord Nikon
22-08-2003, 11:48
not a chance

Take a look in the registry though in the sections
HKey_Current_User/Software/Microsoft/Windows/Currentversion/Run

and any other Run keys in the registry, also search for w32.sobig.f.exe in the registry

assuming you are on Windows XP disable System Restore and then delete the contents of the c:\windows\prefetch folder too

SMHarman
22-08-2003, 11:52
Was nothing in the reigistarywhen I did the manual removal - will recheck tonight.

Where do you disable system restore. I've been fortunate enough not to need to use it so far so have not seen how restore / roll back works.

Lord Nikon
22-08-2003, 11:54
Right click on My Computer, click on Properties then on the System Restore tab

The reason being that if the virus was there when the system created a restore point then the virus may have been backed up along with the system files :D

Lord Nikon
22-08-2003, 12:02
SMHarman I just found something for you

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html

Its a removal tool that should sort out the damage caused by the worm as well :)

More info on the site.

SMHarman
22-08-2003, 12:06
See Post 16. I've run that. It says I don't have the virus.

Which I don't I can see that there is no / limited traffic on my connection when I am not doing anything and its all inbound not outbound.

With Sobig running the red bar on ZA is maxed out permanently.

Z4pp4
24-08-2003, 22:59
Am I paying for ignorant userâ₠¬Ã¢â€žÂ¢s using up our bandwidth ?

Is NTL doing anything about it ?

Can I name and shame ignorant userâ₠¬Ã¢â€žÂ¢s ?

Originally posted on guess who

Sorry about this: but is the issue is being addressed.

I think NOT !

Fr4nk

Maggy
25-08-2003, 00:27
Originally posted by Z4pp4
Am I paying for ignorant userâ₠¬Ã¢â€žÂ¢s using up our bandwidth ?

Is NTL doing anything about it ?

Can I name and shame ignorant userâ₠¬Ã¢â€žÂ¢s ?

Originally posted on guess who

Sorry about this: but is the issue is being addressed.

I think NOT !

Fr4nk

Apparently it is.It would seem at the other site there is a thread (Do Ntl Turn you off because of BLASTER ? )about how those NTL customers still infected by Blaster are being denied connection until they sort out their PC and remove it.

Incog.:)

Xaccers
25-08-2003, 10:22
Hmm, NTL could do a network scan for the vulnerable PC's, then force them to be redirected to a page (like they do with autoreg) informing the customers that they are vulnerable and giving links/instructions on what to do about it :)

Maggy
25-08-2003, 18:07
Apparently that is what is happening.

Incog.

Z4pp4
29-08-2003, 21:41
Still getting hammered on port 135
see records on log1.zip & log2.zip
Fr4nk

Z4pp4
29-08-2003, 21:42
log2.zip

Steve H
29-08-2003, 22:14
Getting hammered here, Causing CI's (Connection inturuptions) in games (I presume).. One every 2-3 seconds or so.

carlingman
30-08-2003, 00:51
Hmm,

May have something to do with the Variant of the Blaster Worm.

Take a look here (http://net-security.org/virus_news.php?id=294)

:)

Lord Nikon
30-08-2003, 10:35
:rofl: