Wide Trojan attacks

[midnightservice]

oksy guys to show why your pings go up and down and then stay high all the time you guys complain about alg, well here is the reason. I have a list for a 24 hour period. I freshly installed my gaming system. it has never been on the net until 12/31/04 10:30 am. as you can see ( thes is acending ordeer so look at the bottom of the list for the date and time) i was on for 30 mins and i was already bombed by trojans and it still had never even surfed a web page or checked email. I run Norton internet security with firewall. I suggest you go to http://www.pandasoftware.com and runt here free virus/trojan scanner and repair anything it finds. then get you a real good firewall.

1. Firewalled network router is the best
2. Zone Alarm
3. norton internet securities

Category: Intrusion Detection
Date,Message,Details
1/2/2005 9:05:03 AM,,
1/2/2005 9:05:03 AM,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
1/2/2005 9:05:03 AM,Intrusion Detection (1.8.6) is monitoring 230 signatures.,Intrusion Detection (1.8.6) is monitoring 230 signatures.
1/1/2005 7:41:31 PM,Intrusion: W32_SQLEXP_Worm_Propagation.,"Intrusion: W32_SQLEXP_Worm_Propagation. Intruder: 213.254.180.58(1823). Risk Level: High. Protocol: UDP. Attacked IP: SWG(192.168.0.169). Attacked Port: ms_sql-m(1434)."
1/1/2005 7:41:31 PM,213.254.180.58 will be blocked further access to your machine for 30 minutes.,213.254.180.58 will be blocked further access to your machine for 30 minutes.
1/1/2005 7:06:46 PM,Intrusion: W32_SQLEXP_Worm_Propagation.,"Intrusion: W32_SQLEXP_Worm_Propagation. Intruder: 218.58.78.3(3356). Risk Level: High. Protocol: UDP. Attacked IP: SWG(192.168.0.169). Attacked Port: ms_sql-m(1434)."
1/1/2005 7:06:46 PM,218.58.78.3 will be blocked further access to your machine for 30 minutes.,218.58.78.3 will be blocked further access to your machine for 30 minutes.
1/1/2005 6:59:19 PM,Intrusion: W32_SQLEXP_Worm_Propagation.,"Intrusion: W32_SQLEXP_Worm_Propagation. Intruder: 211.237.220.145(1066). Risk Level: High. Protocol: UDP. Attacked IP: SWG(192.168.0.169). Attacked Port: ms_sql-m(1434)."
1/1/2005 6:59:19 PM,211.237.220.145 will be blocked further access to your machine for 30 minutes.,211.237.220.145 will be blocked further access to your machine for 30 minutes.
1/1/2005 6:11:00 PM,Intrusion: W32_SQLEXP_Worm_Propagation.,"Intrusion: W32_SQLEXP_Worm_Propagation. Intruder: 61.100.142.137(4722). Risk Level: High. Protocol: UDP. Attacked IP: SWG(192.168.0.169). Attacked Port: ms_sql-m(1434)."
1/1/2005 6:11:00 PM,61.100.142.137 will be blocked further access to your machine for 30 minutes.,61.100.142.137 will be blocked further access to your machine for 30 minutes.
1/1/2005 2:01:49 PM,Intrusion: W32_SQLEXP_Worm_Propagation.,"Intrusion: W32_SQLEXP_Worm_Propagation. Intruder: 61.185.123.83(3006). Risk Level: High. Protocol: UDP. Attacked IP: SWG(192.168.0.169). Attacked Port: ms_sql-m(1434)."
1/1/2005 2:01:49 PM,61.185.123.83 will be blocked further access to your machine for 30 minutes.,61.185.123.83 will be blocked further access to your machine for 30 minutes.
1/1/2005 12:22:00 PM,Intrusion: W32_SQLEXP_Worm_Propagation.,"Intrusion: W32_SQLEXP_Worm_Propagation. Intruder: 61.185.14.200(3022). Risk Level: High. Protocol: UDP. Attacked IP: SWG(192.168.0.169). Attacked Port: ms_sql-m(1434)."
1/1/2005 12:22:00 PM,61.185.14.200 will be blocked further access to your machine for 30 minutes.,61.185.14.200 will be blocked further access to your machine for 30 minutes.
1/1/2005 9:08:13 AM,,
1/1/2005 9:08:13 AM,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
1/1/2005 9:08:13 AM,Intrusion Detection (1.8.6) is monitoring 230 signatures.,Intrusion Detection (1.8.6) is monitoring 230 signatures.
1/1/2005 8:58:37 AM,,
1/1/2005 8:58:37 AM,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
1/1/2005 8:58:37 AM,Intrusion Detection (1.8.6) is monitoring 230 signatures.,Intrusion Detection (1.8.6) is monitoring 230 signatures.
12/31/2004 11:16:17 AM,,
12/31/2004 11:16:17 AM,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
12/31/2004 11:16:17 AM,Intrusion Detection (1.8.6) is monitoring 230 signatures.,Intrusion Detection (1.8.6) is monitoring 230 signatures.
12/31/2004 11:14:56 AM,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
12/31/2004 11:14:56 AM,,
12/31/2004 11:14:56 AM,Intrusion Detection has been disabled.,Intrusion Detection has been disabled.
12/31/2004 11:14:56 AM,Intrusion Detection (1.8.6) is monitoring 230 signatures.,Intrusion Detection (1.8.6) is monitoring 230 signatures.
12/31/2004 11:03:49 AM,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
12/31/2004 11:03:49 AM,Intrusion Detection (1.6.3) is monitoring 196 signatures.,Intrusion Detection (1.6.3) is monitoring 196 signatures.
12/31/2004 10:59:21 AM,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
12/31/2004 10:59:21 AM,Intrusion Detection (1.0.29) is monitoring 63 signatures.,Intrusion Detection (1.0.29) is monitoring 63 signatures.

-Mid

[Dr.Death]

I have a question. I use Norton Firewall 2003 and I used to get a pop up when something on my system tried to access the net and it asked for permission. Well, it no longer does this amd because of this I have so much shit that is allowed to access the net and I dont know if it should be allowed. Is there any way for me to turn this option back on so that it asks for permission to access? I don't ever remeber turning it off, I could even have turned it off. It justed stopped 1 day.

[ShiftyPowers]

Where is the free scan at on the panda site?

[Dr.Death]

Left hand side of page, half way down.

[Undead_Mercenary]

I use Mozilla/Firefox, and it says my browser doesnt support it. I'm guessing it's because it is blocking the installation of ActiveX programs. Is there an option somewhere where I can disable this?

[XoR]

It is extremely rare for a (patched) system to just "get" a virus/tojan. Code has to be actively launched (sometimes involuntarily) or someone has a 0-day exploit attacking you. The log report I see is simply "noise" where the remote worm attempts to load Kernel32.dll and WS2_32.dll followed by 376 bytes to port 1434/udp (the SQL Server Resolution Service Port) The log is not telling you you are comprimised, just that a host probed you. I also assume you are not running SQL 2000.

Also, I noticed you are using ICS or NAT and so you may want to verify the integrity of that machine providing address translation as an added security measure.

DrDeath, you may want to reset the security database, and start over handing out permissions. If you gave the wrong thing access, yes you could be in for a headache. I'm not sure how you do this in Norton(never used it much) maybe Midnight knows how to reset your permission list.

Good luck!

[DenKirson]

Norton Internet Security can block IP ranges in the configure window of Intrusion Detection. I've been getting the same attack more than two months ago, so I just blocked the IPs it kept coming from, and I haven't gotten that intrusion report in weeks. Right there on the configure window is a button for IP exceptions/permissions.

[Dr.Death]

I still want to know how to get Norton to ask me for permission for a program to acces the net!

[DenKirson]

Come on people, just look around. Configure Personal Firewall, there's a listbox to add a bunch of EXEs. Probably the same setup for Firewall 2003.

[Dr.Death]

Well sorry Den, I must be an idiot. I tried the looking in the config box and still dice. How do I get this to work?

[DenKirson]

Here's something that usually works: press F1 while the anti-whatever is open.

[XoR]

It's probably a setting or checkbox that simply states something like "Ask me each time a program attepts to access the internet" or some such ... sorry dude, I'm not that up on Norton's IDS.

You could always uninstall the thing, and then it will default back to it's original state upon reinstall.

Zone Alarm also has a free version that works very well.

Good luck!