| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 45474 | 2004-05-23 09:05:00 | Odd e-mail and firewall activity | Arnie Flangehead (5679) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 238695 | 2004-05-23 09:05:00 | Hi Y'All Two odd things are happening that don't particularly alarm me, but I'm curious to know if anyone else has encountered them . Some background: I use dial-up . I have modern anti-virus software and a firewall . The auto-protect is on, I keep my definitions up-to-date and I do a full scan automatically each morning . The firewall is set to a high protection level . All outgoing and incoming e-mails are scanned . I've been burned in the past so all the protections are on all the time . The first thing is that I noticed that I was being hit frequently by the sockets de troie trojan . It didn't worry me . I just kept clearing the alert . After a while however I became aware that the same attack was happening more and more frequently . Now it's at the stage that within a few minutes of logging on I'll get hit, then again and again and again from different addresses . Thirty or forty attacks per hour . They all get blocked but what gives? Is someone after me? Could they be false reports? The second odd thing is that twice in the last week I've received empty e-mails -- no (visible) sender or subject, no text, no attachment . Nothing . I deleted them, so I can't tell you the exact size, but I did note that they were tiny - just a few K . I started wondering if I had been attacked by some super-duper-subtle malware . I don't get any spam at my e-mail address because I've protected it meticulously and my computer is not exhibiting any strange behaviour . AV has not detected anything either . Any ideas? |
Arnie Flangehead (5679) | ||
| 238696 | 2004-05-23 09:44:00 | Hello Arnie Flangehead :) Welcome to Press F1 :) First question what anti-virus software and a firewall are you using? > Some background: I use dial-up . I have modern > anti-virus software and a firewall . The auto-protect > is on, I keep my definitions up-to-date and I do a > full scan automatically each morning . The firewall is > set to a high protection level . All outgoing and > incoming e-mails are scanned . I've been burned in the > past so all the protections are on all the time . Good :), well done > The first thing is that I noticed that I was being > hit frequently by the sockets de troie trojan . It > didn't worry me . I just kept clearing the alert . > After a while however I became aware that the same > attack was happening more and more frequently . Now > it's at the stage that within a few minutes of > logging on I'll get hit, then again and again and > again from different addresses . Thirty or forty > attacks per hour . They all get blocked but what > gives? Is someone after me? weird Does your firewall say what port the trojan is trying to access? Also have you test your firewall at www . grc . com > ShieldsUP! (Note this test is safe :), I test my firewall there all the time) Also have you ran ad-aware & Spybot - Search & Destroy? Too see if there is any thing there that could be causing this . > The second odd thing is that twice in the last week > I've received empty e-mails -- no (visible) sender or > subject, no text, no attachment . Nothing . It is Spam that has got cropeted some where I guess, I get the same once it a while Also are windows updates up to date? & What OS do you have??? |
stu120404 (268) | ||
| 238697 | 2004-05-23 10:45:00 | Thanks for your reply. Specs: Norton Antivirus 2002 Norton Internet Security 2002 Windows XP-Pro - Checked for MS updates yesterday - nothing outstanding. Yeah, I've got both Adaware and Spybot -- both up-to-date. Ran both just now before posting this reply. Nothing came up. Here's the details on the most recent firewall alert: Date: 5/23/2004 Time: 21:28:01 Rule "Default Block Sokets de Trois v1. Trojan horse" blocked(210.246.6.98,5000). Details: Inbound TCP connection Local address,service is (210.246.6.98,5000) Remote address,service is (204.1.226.228,42248) Process name is "N/A" I haven't done the shields-up thing for a while, so I did that just before this post as well. Here's the report: GRC Port Authority Report created on UTC: 2004-05-23 at 09:42:44 Results from scan of ports: 0-1055 0 Ports Open 2 Ports Closed 1054 Ports Stealth --------------------- 1056 Ports Tested NO PORTS were found to be OPEN. Ports found to be CLOSED were: 0, 1 Other than what is listed above, all ports are STEALTH. Not sure about the significance of those "closed" ports. I'll do some reading on the GRC site. Cheers. |
Arnie Flangehead (5679) | ||
| 238698 | 2004-05-23 22:51:00 | I'd suggest going to Symantex and doing an online anti-virus scan. Sockets is a very old trojan, and it shoulda been picked up by your Nortons. Also meantime you should completely block both inbound / outbound TCP and UDB traffic on port 5000 |
Greg S (201) | ||
| 238699 | 2004-05-23 23:38:00 | >Rule "Default Block Sokets de Trois v1. Trojan horse" blocked(210.246.6.98,5000). Details: Inbound TCP connection Local address,service is (210.246.6.98,5000) Remote address,service is (204.1.226.228,42248) its an inbound, therefore its nothing on your pc. just ignore the alerts. |
tweak'e (174) | ||
| 238700 | 2004-05-24 11:05:00 | Okay. Thanks to everyone who responded. | Arnie Flangehead (5679) | ||
| 1 | |||||