Earlier today I found some files that weren't suppose to be in my homefolder.
drsmarload1135a.exe
LOADADV455.EXE
It would seem that these are win32 malware. Well LOADADV455 is a trojan and drsmartload1135 is an exploit. How they got into my ubuntu homefolder I don't know, but they are classified as win32 viruses with a "bad" rating on http://www.prevx.com. Not much else to go on. F-Secure had nothing on these, but they are classified as newly discovered on prevx. Anyway, since they are for win32, I figured it wasn't a problem. Kind of fun actually, watching them crawl and squirm, then smashing them with rm. So I deleted then, thinking breefly of turning them over to f-secure, but it seemed to be too much work. After that my mouse started behave strangely, still do actually, so I started looking over my system, looking for processes that I didn't recognize. While raiding the netlogs, which I am completly inept of, I am still n00bie in linux, well there was something strange going on. So I scanned the computer for more viruses with ClamAV. Nothing. Finallly I decided in a brief moment of panic to install firestarter (firewall for linux). Here I found a active session with a foreign adress ( 205.51.162.163 ) After a few futile attempts to block him out from the commandline I gave in. Blocked all internet traffic, restarted the computer, in order to be completely sure he wasn't still there.
First I made sure he wouldn't get in again, filtered the firewall the hardcore way, means basicly everthing but port 80. Then I started digging. Going to http://www.samspade.org and tried the ip on all the registrys I could find. Imagine my surprise when www.arin.net gave me this:
OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 205.0.0.0 - 205.55.255.255
CIDR: 205.0.0.0/11 205.32.0.0/12 205.48.0.0/13
NetName: NICS86-88
NetHandle: NET-205-0-0-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
Comment:
RegDate:
Updated: 2006-10-03
OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: 1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil
Well you imagine I got a bit nervous, half expecting CIA to burst through my door. (Not very likely though, since they were on another continent)
After checking out google it turned out that they were a Defense Supply Center in Columbus ( DSCC for short ).
So, to summarize. Either the american Department of Defense were investigating me, (highly unlikely, since ubuntu I only use opensource software) or some little douchebag was spoofing their adress to access the trojan in my homefolder.
Safe to say, I won't go out without a firewall again, not even on Linux...
Tuesday, October 10, 2006
Thursday, October 05, 2006
Watch out for that PIF
Today I got lucky.
and stupid I'm sorry to say. I friend of mine IM:ed me on msn with a message that went something like this: "Hey, Is that you on that picture!!" and a link to a what appeared to be a jpeg image file. Now, I should've been suspicious about this, but the person I got it from was likely to send a silly picture so I fell for it. What it did was to try to open a file named "photo211.pif". Lucklily for me, I was using Linux Ubuntu, and pif is a windows command file for dos applications, which Ubuntu didn't know what to do with. I thought it was a misspelling, my friend has a tendency to do that, so I tried renaming it to .gif, but didn't work here either. So, I googled it. Huh, I barely got away from the new msn plague called bropia. Well, new is a gross overstatement. It's been around for 2 years at least, starting it's crusade from South Korea working it's way through Japan and then , the world. This is a worm that tries to make your computer into a zombie. It infects msn, forwards itself to all your msn contacts, and tries to disable your futile attempts to disable it. You could kill the process, if you're fast. But the easist thing is to make a cold reset, yanking out the power plug. Then you need to follow these instructions and hopefully you'll be fine and your precious documents might survive...
1. Restart to Safe Mode
2. In %programfiles%\msn messenger\ or \messenger\ depending on your version. Delete msnmgrs.exe and msgs.exe
3. In your %windir%\system32\ folder, delete alfa.exe & sprY.exe
4. Delete the pif file, could be in "my documents\received files\ or on the desktop
5. Make a complete antivirus scan.
6. Reboot.
If youre lucky you'll survive, if youre not, well it was time for systemwipe anyway wasn't it?
and stupid I'm sorry to say. I friend of mine IM:ed me on msn with a message that went something like this: "Hey, Is that you on that picture!!" and a link to a what appeared to be a jpeg image file. Now, I should've been suspicious about this, but the person I got it from was likely to send a silly picture so I fell for it. What it did was to try to open a file named "photo211.pif". Lucklily for me, I was using Linux Ubuntu, and pif is a windows command file for dos applications, which Ubuntu didn't know what to do with. I thought it was a misspelling, my friend has a tendency to do that, so I tried renaming it to .gif, but didn't work here either. So, I googled it. Huh, I barely got away from the new msn plague called bropia. Well, new is a gross overstatement. It's been around for 2 years at least, starting it's crusade from South Korea working it's way through Japan and then , the world. This is a worm that tries to make your computer into a zombie. It infects msn, forwards itself to all your msn contacts, and tries to disable your futile attempts to disable it. You could kill the process, if you're fast. But the easist thing is to make a cold reset, yanking out the power plug. Then you need to follow these instructions and hopefully you'll be fine and your precious documents might survive...
1. Restart to Safe Mode
2. In %programfiles%\msn messenger\ or \messenger\ depending on your version. Delete msnmgrs.exe and msgs.exe
3. In your %windir%\system32\ folder, delete alfa.exe & sprY.exe
4. Delete the pif file, could be in "my documents\received files\ or on the desktop
5. Make a complete antivirus scan.
6. Reboot.
If youre lucky you'll survive, if youre not, well it was time for systemwipe anyway wasn't it?
Thursday, September 21, 2006
Ajax, at last. But will it?
I have finally made my own prototype of an ajax site. So be it, that it is my very own personal site. Made only to merchandise myself, but still. It took some time get get all the components in line but I finally made it work, using some reverse enginering then of course. It is the best way to learn and anyone who says otherwise haven't coded in a hurry before. The ajax components of the site are as follows: an XML menu, which then of course is aquired asynchronosly. Bit unecessary perhabs. Might have been better to this in a more asp friendly solution but this way WAS more fun. Content for the main event area is pulled from text documents containing the relevant code for that specific page. When I finally stripped the code I realised how little was needed for the actual pulling. As soon as the XMLHttpRequest() object had been defined the really wasn't anything left to do but defining this handy little function:
function processPage(url) {
if (xmlHttp)
{
try
{
xmlHttp.open("GET", url, true);
xmlHttp.onreadystatechange = handleRequestStateChange;
xmlHttp.send(null);
}
catch(e)
{
alert("Can't connect to server:\n "+e.toString());
}
}
}
Well well, we will see how this unfolds. There are probebly better ways to do this but, You have to fall before you can learn to walk. At least the floor won't come as such a suprise if you rather do it later than earlier...
function processPage(url) {
if (xmlHttp)
{
try
{
xmlHttp.open("GET", url, true);
xmlHttp.onreadystatechange = handleRequestStateChange;
xmlHttp.send(null);
}
catch(e)
{
alert("Can't connect to server:\n "+e.toString());
}
}
}
Well well, we will see how this unfolds. There are probebly better ways to do this but, You have to fall before you can learn to walk. At least the floor won't come as such a suprise if you rather do it later than earlier...
Monday, September 11, 2006
Election day
I am a pirate. There I said it. A bit late perhabs but none the less, it's been said. The election day here in Sweden is drawing closer and I have now become, again a bit late, an active participant. On the election day I will be delivering election slips. I do this, not because I feel filesharing of illegal content should be allowed, but to give the government a slap on the cheek. To try to make them understand that it is time to reform our patent laws. Not only ours, for that sake, but all of Europes, in fact the whole world should rejoice at this happy occation when will try to make information freely available to all people. This information wealth is only good for our world. No longer should we be restricted nation boundries, no longer should all of the industrial nations take all the good parts of of the worlds knowledge. Information, files, should be distributed, as it is a t the cost of practicly nothing. The big companies will of course wrinkle their noses and say, hey that's ours, pay up, but this is for the good of the world. It is time for a new business modell. I applaude Universals decision to make their archives avaible for the cost of looking at a few ads. Not like we weren't looking at ads already, so hey, whats the difference. I have great hope for the future. Not we just need to close down the echelon project and all the other big american apspirations to control the flow of information. But, all in good time.
On another note is that I watched a google techtalk the othernight. This was concerning Apples Bonjour service, or Zero Configuration as it's known in the world of Windows. That is some interesting stuff! The guy, whose name already slipped my mind, suggested that we can all the alternative means of external communcation ports for the benefit of using network connections for all our information. Bye bye to USB, Firewire, Bluetooth, the old COM and Parallel ports. All might as well be done through the RJ45 adapter. It's speed, for one example, is greater. USB2.0 with 365ish Mb/s, silly old com, which I still don't know what there still doing here. Firewire... come on. Isn't that redundant then I don't know what is. The future is in Bonjour, and of course in wireless. If we ever can get it to work properly. I will probably regret this statement in a year or so. But what they heck, it's good to know we evolve from something...
On another note is that I watched a google techtalk the othernight. This was concerning Apples Bonjour service, or Zero Configuration as it's known in the world of Windows. That is some interesting stuff! The guy, whose name already slipped my mind, suggested that we can all the alternative means of external communcation ports for the benefit of using network connections for all our information. Bye bye to USB, Firewire, Bluetooth, the old COM and Parallel ports. All might as well be done through the RJ45 adapter. It's speed, for one example, is greater. USB2.0 with 365ish Mb/s, silly old com, which I still don't know what there still doing here. Firewire... come on. Isn't that redundant then I don't know what is. The future is in Bonjour, and of course in wireless. If we ever can get it to work properly. I will probably regret this statement in a year or so. But what they heck, it's good to know we evolve from something...
Friday, May 05, 2006
Ms Security Update MS06-015
Apparently not as much of an update as it is a problem. 1 week after this update users started to complain about Internet Explorer address bar was behaving strange. When they typed www. the adress didn't work. This is a minor annoyance but for our users it was enough trouble to toss them off the radar. We solved this problem when there was only to users complaining, which was quite lucky, soon A LOT of people was complaing about all sorts of stuff! Downloads not working, my documents behaving strange etc. But our little patch that we based on the registerkey found at askleo.com solved it all. It doesn't sound much, but it was my first fix that actually made an direct impact on as many as 100 users in one blow.
Here's the key for anyone interested:
Copy to a textdoc,change extension to .bat and run the file as admin
echo Installation av Hp Fix
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached" /v "{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401" /t REG_DWORD /d 00000001
echo - Completed
Here's the key for anyone interested:
Copy to a textdoc,change extension to .bat and run the file as admin
echo Installation av Hp Fix
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached" /v "{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401" /t REG_DWORD /d 00000001
echo - Completed
Subscribe to:
Posts (Atom)