cannot find spy

[Jay T. Blocksom]

[Crossposted to <news.admin.net-abuse.email>, for obvious reasons]

On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
<jonhy@rook.com> wrote:
>
> Hello all,
>
> when running Netview I discovered that my Laptop sends a syn to a
> certain ip-address, which looked up to - kelcos5.dynu.com -
> at IP-address 81.215.160.197 every minute or so.
[snip]

DISCONNECT YOUR SYSTEM NOW!

The reason for this admonition (and its urgency) will become clear shortly.

The IP address in question is part of a (presumably DHCP-assigned) DSL pool in
Turkey:

<http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.160.197>
<http://www.dnsstuff.com/tools/whois.ch?ip=81.215.161.29>

Note also that the hostname in question is now (well, as of two minutes ago
when I checked) resolving to a different address within that same pool:

<http://samspade.org/t/lookat?a=kelcos5.dynu.com>
<http://www.dnsstuff.com/tools/ptr.ch?ip=81.215.161.29>

And by the time you read this, it may well have shifted again.

This pattern strongly suggests -- no, scratch that; it is essentially certain
-- that your system has been compromised with a spammer's "zombie proxy"
trojan. It is S-O-P for them to "phone home" as soon as they take root and/or
find a live network connection, so as to alert their masters that they are
available for (ab)use and specifically where to find them/you. In all
probability, the host(s) it is attempting to "phone home" to are also zombies,
which the spammer(s) previously compromised. The dynamic DNS "service" is
being used to direct the droppers on where to report at any given moment.

Furthermore, the spammer in question is very probably one Kelly Joe Ellis, a
well-known low-life criminal scoundrel and all-around frothing loon:

<http://groups.google.co.uk/groups?q=kelco&group=news.admin.net-abuse.*&sa=G&scoring=d>
<http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK1867>
<http://spews.org/html/S1532.html>

Since you yourself are (apparently) on a consumer DSL line:

> NNTP-Posting-Host: 80.242.254.221 (80.242.254.221)

<http://www.dnsstuff.com/tools/ptr.ch?ip=80.242.254.221>
<http://www.dnsstuff.com/tools/whois.ch?ip=80.242.254.221>

....that means that you are at this moment part of the spammer's "Zombie Army".

Hence: DISCONNECT YOUR SYSTEM NOW!

As long as your system remains connected to the 'net, it *will* be used to
spew spam, and worse, far and wide.

Do *NOT* reconnect it to any other system (either via your local LAN or via
the internet) until you are _absolutely_certain_ that the trojan(s) has/have
been completely eradicated. If that means wiping the disk down to the LLF and
starting over, so be it; but the main thing is that you MUST stop propagating
the damage still further.


--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

[peter krom]

In article <mnik5159ii94b9p693mh9m1k4ud366e5oa@news.speakeasy .net>,
not.deliverable+usenet02@appropriate-tech.net says...
> [Crossposted to <news.admin.net-abuse.email>, for obvious reasons]
>
> On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
> <jonhy@rook.com> wrote:
> >

After searching through my system I Uninstalled Mozilla Firefox, this
was aparantly the source of sending the syn to kelcos.. Now that firefox
is no longer installed, the Syn's aren't sent anymore. Furthermore All
registry-entries concerning Mozilla Firefox are deleted. Thanx for the
info...

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 12-4-2005 13:26:12
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[A.Melon]

In article <MPG.1cc5cebdc961300f989688@news.quicknet.nl>
peter krom <jonhy@rook.com> wrote:
>
> In article <mnik5159ii94b9p693mh9m1k4ud366e5oa@news.speakeasy .net>,
> not.deliverable+usenet02@appropriate-tech.net says...
> > [Crossposted to <news.admin.net-abuse.email>, for obvious reasons]
> >
> > On Fri, 8 Apr 2005 13:53:28 +0200, in <alt.privacy.spyware>, peter krom
> > <jonhy@rook.com> wrote:
> > >
>
> After searching through my system I Uninstalled Mozilla Firefox, this
> was aparantly the source of sending the syn to kelcos.. Now that firefox
> is no longer installed, the Syn's aren't sent anymore. Furthermore All
> registry-entries concerning Mozilla Firefox are deleted. Thanx for the
> info...
>
> Peter

Duh! Maybe you should just have changed your *Home* *Page* from
Kelcos, cos there is nothing wrong with Firefox, and all
browsers work by sending syn packets.

[peter krom]

In article <a8f1741b3562f31066716fc0aab31198@melontraffickers .com>,
juicy@melontraffickers.com says...
> In article <MPG.1cc5cebdc961300f989688@news.quicknet.nl>
> peter krom <jonhy@rook.com> wrote:

> Duh! Maybe you should just have changed your *Home* *Page* from
> Kelcos, cos there is nothing wrong with Firefox, and all
> browsers work by sending syn packets.

This has nothing to do with the fact that I have a startpage at kelcos
which in fact I have not. Yes you are right that all browsers work with
sending syn packets however a reoccurring syn-packet every 2 seconds to
the same ip-address or to an ip-address which traces back to the ip-pool
discussed is not a normal syn-packet... Perhaps you are right and there
is nothing wrong with firefox, but to be on the safe side I removed it.
I don't wanna have anything to do with SPAM, SPEW or anything of that
kind. and if you think that is wrong, well then so be it....

P


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 13-4-2005 1:14:11
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Spam Reporting]

"peter krom" <jonhy [at]_ rook.com> wrote in message
news:MPG.1cc5cebdc961300f989688@news.quicknet.nl.. .
> After searching through my system I Uninstalled Mozilla Firefox, this
> was aparantly the source of sending the syn to kelcos.. Now that
> firefox is no longer installed, the Syn's aren't sent anymore.
> Furthermore All registry-entries concerning Mozilla Firefox are
> deleted. Thanx for the info...


What plugins and extensions did you have installed for Firefox? It might
have been one of them... if it's a commonly used one, people need to
know about this. Or did you find that it was something else within
Firefox?




SuN Tsu, giving instructions on morphing:
http://groups-beta.google.com/group/...a612b6799dc064
"...model morphs on characters that you are familiar with,
RL/Tele/cart00n, mimicking the vocabulary and sentence construction of
the character used as the model."

Kooks morph, it's a fact of life...

--
When will the stalker kook SuN Tsu / BananaNanae / Joe / Joe Banana / JB
/ AOL Spam Trap / LobbyFerret1 / Damien65 [at] aol.com / ATIU 33 /
Banana Rama / Sightings / nanasreport [at] aol.com apologize for his
false accusations and spam-friendly behavior?
http://groups-beta.google.com/group/...2b7339da47e17a
http://groups-beta.google.com/group/...e92facdc555f81
http://groups-beta.google.com/group/...d3010beed38ae8
http://groups-beta.google.com/group/...440a2e400ee0fe
NANAE newbies: For your own protection you should kill-file Sun Tsu.
(You'll have to kill-file him four times, he's posting with four email
accounts).

[peter krom]

In article <DcU6e.1362$t85.3@newssvr21.news.prodigy.com>, "Spam
Reporting" <FROM:@hillscapital.com> says...
> "peter krom" <jonhy [at]_ rook.com> wrote in message
> news:MPG.1cc5cebdc961300f989688@news.quicknet.nl.. .
> What plugins and extensions did you have installed for Firefox? It might
> have been one of them... if it's a commonly used one, people need to
> know about this. Or did you find that it was something else within
> Firefox?

I used 2 plug-ins in Firefox, the first one is Autocopy and the second
one was Wizz RSS reader, both downloaded from the mozilla site btw. The
file itself which was resident was called firefox.exe and was 4.96 kB in
size. The original firefox 1.0 was updated twice, with 1.01 and 1.02....
I am sure that the attempts to connect kelcos5.dynu.com are gone because
i have netview running all the time and the log-file doesn't show
anything regarding the ip-pool discussed.

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 13-4-2005 1:04:51
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Paul Vader]

peter krom <jonhy@rook.com> writes:
>I used 2 plug-ins in Firefox, the first one is Autocopy and the second
>one was Wizz RSS reader, both downloaded from the mozilla site btw. The

The homepage for the Wizz reader really creeps me out. Every piece of
supposed weirdness is apparently cause by bugs in firefox. I'd drop it and
find something else. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[peter krom]

In article <115qebe4u0480ec@news.supernews.com>, pv+usenet@pobox.com
says...
> peter krom <jonhy@rook.com> writes:
> >I used 2 plug-ins in Firefox, the first one is Autocopy and the second
> >one was Wizz RSS reader, both downloaded from the mozilla site btw. The
> The homepage for the Wizz reader really creeps me out. Every piece of
> supposed weirdness is apparently cause by bugs in firefox. I'd drop it and
> find something else. *

I'v read your 3 posts, I'll try to answer them in 1 msg:

It is becoming clearly now that one of the extensions was phoning home.
Most likely it was the wizz rss-extension. I have done a portscan at the
IP-address that this - let's say - piece of malicous software was
attempting to connect to and no ports were open...there was simply
nothing there. You can be sure... you don't have to eat your hat, I have
reinstalled mozilla without any extensions and nothing happened in any
of the previous discussed instances... I am glad to say that mozilla
itself is safe but let it be known that this rss-reader is a no-go. To
be able to read the rss-feeds I have made a small webpage on my server
with javascript so I can read my rss-feeds again... Leaves me with the
thought that everything is quiet on the western front and I am no longer
a tool for malicious entities who make thier money by bombarding people
with unsolicited mail and other things that we so deeply hate.

Thank you all for thinking with me (or against...) Now e have another
aplication to put on the blacklist: the wizz rss-reader

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 14-4-2005 1:31:01
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Dave Platt]

In article <MPG.1cc7c9fd3b5222a898968c@news.quicknet.nl>,
peter krom <jonhy@rook.com> wrote:

>I'v read your 3 posts, I'll try to answer them in 1 msg:
>
>It is becoming clearly now that one of the extensions was phoning home.
>Most likely it was the wizz rss-extension. I have done a portscan at the
>IP-address that this - let's say - piece of malicous software was
>attempting to connect to and no ports were open...there was simply
>nothing there.

Unfortunately, it's truly not possible to say for certain that this
was the case unless you've done a physical inspection of whatever
hardware may be routed at that address. It's quite possible to write
a malware server which would sit there, "see" the phone-home packets,
and yet look for all the world as if:

- There's no host there, and the net's router is responding with a
"no such host" ICMP response, or

- There's no host there, and the phone-home packets or ICMP responses
simply vanish, or

- There's a host there, but its ports are closed and are responding
with "connection refused".

You simply can't tell, from the outside, whether any particular "there
ain't nobody here" reaction is legitimate or misleading.

How one might write such a piece of spoofing server malware is left as
an exercise for the reader... no sense making it easier for the bad
guys.

--
Dave Platt <dplatt@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!

[Paul Vader]

peter krom <jonhy@rook.com> writes:
>Thank you all for thinking with me (or against...) Now e have another
>aplication to put on the blacklist: the wizz rss-reader

Understand, I wasn't directly accusing the wizz reader of doing anything
nasty - just noting that it had weird vibes about it.

If you feel brave, plese try installing the reader again and see if the odd
connection attempts come back. If it does, you have your smoking gun, and I
think the mozilla team would be VERY interested. A number of mozilla fans,
myself included, have been expecting a piece of spyware to be released in
the form of a mozilla extension. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.