Tuesday, October 10, 2006

Where did those come from...?

Earlier today I found some files that weren't suppose to be in my homefolder.
drsmarload1135a.exe
LOADADV455.EXE
It would seem that these are win32 malware. Well LOADADV455 is a trojan and drsmartload1135 is an exploit. How they got into my ubuntu homefolder I don't know, but they are classified as win32 viruses with a "bad" rating on http://www.prevx.com. Not much else to go on. F-Secure had nothing on these, but they are classified as newly discovered on prevx. Anyway, since they are for win32, I figured it wasn't a problem. Kind of fun actually, watching them crawl and squirm, then smashing them with rm. So I deleted then, thinking breefly of turning them over to f-secure, but it seemed to be too much work. After that my mouse started behave strangely, still do actually, so I started looking over my system, looking for processes that I didn't recognize. While raiding the netlogs, which I am completly inept of, I am still n00bie in linux, well there was something strange going on. So I scanned the computer for more viruses with ClamAV. Nothing. Finallly I decided in a brief moment of panic to install firestarter (firewall for linux). Here I found a active session with a foreign adress ( 205.51.162.163 ) After a few futile attempts to block him out from the commandline I gave in. Blocked all internet traffic, restarted the computer, in order to be completely sure he wasn't still there.

First I made sure he wouldn't get in again, filtered the firewall the hardcore way, means basicly everthing but port 80. Then I started digging. Going to http://www.samspade.org and tried the ip on all the registrys I could find. Imagine my surprise when www.arin.net gave me this:

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 205.0.0.0 - 205.55.255.255
CIDR: 205.0.0.0/11 205.32.0.0/12 205.48.0.0/13
NetName: NICS86-88
NetHandle: NET-205-0-0-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
Comment:
RegDate:
Updated: 2006-10-03
OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: 1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil

Well you imagine I got a bit nervous, half expecting CIA to burst through my door. (Not very likely though, since they were on another continent)
After checking out google it turned out that they were a Defense Supply Center in Columbus ( DSCC for short ).

So, to summarize. Either the american Department of Defense were investigating me, (highly unlikely, since ubuntu I only use opensource software) or some little douchebag was spoofing their adress to access the trojan in my homefolder.

Safe to say, I won't go out without a firewall again, not even on Linux...

Thursday, October 05, 2006

Watch out for that PIF

Today I got lucky.
and stupid I'm sorry to say. I friend of mine IM:ed me on msn with a message that went something like this: "Hey, Is that you on that picture!!" and a link to a what appeared to be a jpeg image file. Now, I should've been suspicious about this, but the person I got it from was likely to send a silly picture so I fell for it. What it did was to try to open a file named "photo211.pif". Lucklily for me, I was using Linux Ubuntu, and pif is a windows command file for dos applications, which Ubuntu didn't know what to do with. I thought it was a misspelling, my friend has a tendency to do that, so I tried renaming it to .gif, but didn't work here either. So, I googled it. Huh, I barely got away from the new msn plague called bropia. Well, new is a gross overstatement. It's been around for 2 years at least, starting it's crusade from South Korea working it's way through Japan and then , the world. This is a worm that tries to make your computer into a zombie. It infects msn, forwards itself to all your msn contacts, and tries to disable your futile attempts to disable it. You could kill the process, if you're fast. But the easist thing is to make a cold reset, yanking out the power plug. Then you need to follow these instructions and hopefully you'll be fine and your precious documents might survive...
1. Restart to Safe Mode
2. In %programfiles%\msn messenger\ or \messenger\ depending on your version. Delete msnmgrs.exe and msgs.exe
3. In your %windir%\system32\ folder, delete alfa.exe & sprY.exe
4. Delete the pif file, could be in "my documents\received files\ or on the desktop
5. Make a complete antivirus scan.
6. Reboot.

If youre lucky you'll survive, if youre not, well it was time for systemwipe anyway wasn't it?

Powershell and Uptimerobot

Uptimerobot can be quite tedious when you need to update many monitors at once. For example say you bought the license for Uptimerobot and n...