Page 1 of 1
[SOLVED] Worm
Posted: Thu Sep 21, 2006 9:30 am
by alpahde5
im not sure if it is coming directly from this site but i have had a worm try to attack my pc whilst on this site.
my virus protection has blocked it.
i don't mean to alarm people by saying this so please don't get me wrong, im only saying that whilst i have been on this site i have had two worm attacks against my pc which thus far have been unsuccesfull.
Posted: Thu Sep 21, 2006 11:35 am
by seraph0x
I'll check it out right away, thanks for the info.
After the hacking attack the site went down and the server attacked people with a worm instead, so maybe the hacker got back it, but kept it stealth this time.
Can you be more specific? I need to know what kind of worm it is?
Posted: Thu Sep 21, 2006 11:38 am
by alpahde5
i will look through my anti-virus software for the type of worm, i will get back to you as soon as i know
Posted: Thu Sep 21, 2006 11:42 am
by seraph0x
Thanks!
There are no unknown processes running and the distribution of cpu time and memory is normal, so I suspect if there is anything, it is hiding somewhere within Apache.
I'll run a few more tests, keep me posted.
Posted: Thu Sep 21, 2006 11:43 am
by alpahde5
here we go this is all i can get from the log:
HTTP MSIE Creattextrange code exec
intruder 66.230.172.190(http(80))
risk level: high
i will dig around for more info hope it help.
P.S i was only on one other site at the time, it was snitchy.com thats why i said i only think its this site because its the only variable that is constant.
Posted: Thu Sep 21, 2006 11:55 am
by seraph0x
Ok no rootkits, no unexpected open ports.
Apache Status tells me that the Apache processes behave as they should.
Full disk virus scan is running now, but I doubt it will find anything.
Posted: Thu Sep 21, 2006 11:57 am
by alpahde5
ok well i have no idea what it was, probably something normal that my pc thought was a worm. annoyes me when anti-virus software does that. sorry for any concern caused.
i don't know if this helps but it said something about port 1938, i closed it before i read it all
Posted: Thu Sep 21, 2006 12:05 pm
by seraph0x
intruder 66.230.172.190(http(80))
Milovana.com is 217.160.215.56.
The IP you posted is a server running at the provider ISPrime (Found by doing a
WHOIS). So I suggest you inform the admins at
[email protected] about this.
Posted: Thu Sep 21, 2006 12:07 pm
by seraph0x
The site that comes up when you visit this IP is some TGP site.
Edit: Replace hxxp by http, but be aware that the site might still run the worm.
hxxp://66.230.172.190/
I'll mark the thread as solved and move it Tech Support in a minute if that's ok with you.
Posted: Thu Sep 21, 2006 12:08 pm
by alpahde5
whos is prime? i've never even heard of them. i will of inform them.
i've never been on that site before lol, sorry never realised there was a tech support thread.