| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41FBA904.3040505@postmark.net> From: tat at postmark.net (Antonio Henrique Oliveira) Subject: Transamericana.org Michael Rutledge wrote: > This may be a stretch (a large stretch), but someone could have > planted something on your Windows box that is using pings as a covert > channel (given that person has also taken control of the webserver > that hosts transamericana.org and can watch the connection logs). Do > you have a capture of the pings for someone to do a frequency analysis > on? > > Also, you may want to post a list of your currently running processes > in hopes someone may spot something that looks wrong. > > -Michael > > On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira > <tat@...tmark.net> wrote: > >>Gregh wrote: >> >>>----- Original Message ----- >>>From: "Antonio Henrique Oliveira" <tat@...tmark.net> >>>To: <full-disclosure@...ts.netsys.com> >>>Sent: Saturday, January 29, 2005 9:46 PM >>>Subject: [Full-Disclosure] Transamericana.org >>> >>> >>> >>> >>>>Dear all, >>>> >>>>Please excuse me if this is a bit off-topic, but since this is the only >>>>IT related mailing list I subscribe (apart from Secunia's) I decided to >>>>post here. >>>> >>> >>>>From sometime ago (I cannot determine exactly when this started to >>> >>>>happen), my workstation (WinXP SP2 PT, fully patched) has been sending >>>>out ping requests to www.transamericana.org when I login to the machine >>>>(right at the beginning of the login process, and only at that time). >>>> >>> >>> >>>Perchance is your DNS hosted there? Eg, your ISP's DNS servers? >>> >>>Greg. >> >>No. The Linux box runs bind for the internal (and external) networks and >>does direct queries to the root servers, not using our ISP's DNS. The >>internal network is configured with DHCP and the DNS server for all >>hosts is set to the linux box internal address. Also, my workstation >>(and there are 5 more) is the only one doing this. >> >>Regards, >>-- >>Anto'nio Henrique A. Proenca de Oliveira >> >>"Although we can never go back, like an old sweet song with a strong >>refrain, memories remain" - (Someone) >> >>Please avoid sending me Word or PowerPoint attachments. >>See http://www.fsf.org/philosophy/no-word-attachments.html >>$Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $ >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.netsys.com/full-disclosure-charter.html >> The only records I have from the pings are from yesterday (when I started logging them). It sends three pings (not replied to) to www.transamericana.org during login process and then stops until I login again (either by reboot or logoff/login). Attached are two files with results from "HiJackThis", as per Gregh's suggestion. They show the running processes and the list of programs executed during login. Regards, -- Anto'nio Henrique A. Proenca de Oliveira R. 3 - Lote 22 - Loteam. Pinhel 4805-078 Caldas das Taipas - Portugal T +351 253 576 888 / Work +351 255 862 416 M +351 96 323 1169 / tat@...tmark.net "Although we can never go back, like an old sweet song with a strong refrain, memories remain" - (Someone) Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html $Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hijackthis.txt Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050129/8a801941/hijackthis.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: startuplist.txt Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050129/8a801941/startuplist.txt
Powered by blists - more mailing lists