[SOLVED] Worm

alpahde5 · Post by **alpahde5** » Thu Sep 21, 2006 9:30 am

im not sure if it is coming directly from this site but i have had a worm try to attack my pc whilst on this site.

my virus protection has blocked it.

i don't mean to alarm people by saying this so please don't get me wrong, im only saying that whilst i have been on this site i have had two worm attacks against my pc which thus far have been unsuccesfull.

Post by **seraph0x** » Thu Sep 21, 2006 11:35 am

I'll check it out right away, thanks for the info.

After the hacking attack the site went down and the server attacked people with a worm instead, so maybe the hacker got back it, but kept it stealth this time.

Can you be more specific? I need to know what kind of worm it is?

alpahde5 · Post by **alpahde5** » Thu Sep 21, 2006 11:38 am

i will look through my anti-virus software for the type of worm, i will get back to you as soon as i know

Post by **seraph0x** » Thu Sep 21, 2006 11:42 am

Thanks!

There are no unknown processes running and the distribution of cpu time and memory is normal, so I suspect if there is anything, it is hiding somewhere within Apache.

I'll run a few more tests, keep me posted.

alpahde5 · Post by **alpahde5** » Thu Sep 21, 2006 11:43 am

here we go this is all i can get from the log:

HTTP MSIE Creattextrange code exec

intruder 66.230.172.190(http(80))

risk level: high

i will dig around for more info hope it help.

P.S i was only on one other site at the time, it was snitchy.com thats why i said i only think its this site because its the only variable that is constant.

Post by **seraph0x** » Thu Sep 21, 2006 11:55 am

Ok no rootkits, no unexpected open ports.

Apache Status tells me that the Apache processes behave as they should.

Full disk virus scan is running now, but I doubt it will find anything.

alpahde5 · Post by **alpahde5** » Thu Sep 21, 2006 11:57 am

ok well i have no idea what it was, probably something normal that my pc thought was a worm. annoyes me when anti-virus software does that. sorry for any concern caused.

i don't know if this helps but it said something about port 1938, i closed it before i read it all

Post by **seraph0x** » Thu Sep 21, 2006 12:05 pm

intruder 66.230.172.190(http(80))

Milovana.com is 217.160.215.56.

The IP you posted is a server running at the provider ISPrime (Found by doing a WHOIS). So I suggest you inform the admins at [email protected] about this.

Post by **seraph0x** » Thu Sep 21, 2006 12:07 pm

The site that comes up when you visit this IP is some TGP site.

Edit: Replace hxxp by http, but be aware that the site might still run the worm.

hxxp://66.230.172.190/

I'll mark the thread as solved and move it Tech Support in a minute if that's ok with you.

alpahde5 · Post by **alpahde5** » Thu Sep 21, 2006 12:08 pm

whos is prime? i've never even heard of them. i will of inform them.
i've never been on that site before lol, sorry never realised there was a tech support thread.

[SOLVED] Worm

[SOLVED] Worm

Who is online