Trojan horses on CMMODS...?

[Rob Murray]

Yesterday I went to CMMODS & Norton Antivirus alerted me to a threat. This the threat alert that I received "Default Block Netbus Trojan horse blocked". I was just there a few minutes ago & got the same warning. Has CMMODS been compromised? I asking because I'd like to know if anyone else has encountered this. I've got Norton Antivirus 2005 with all available updates & I'm using the Internet Worm Protection supplied with it as my firewall (apparently the built-in Windows XP Firewall & Norton's firewall don't "play together nicely" so I turned off the Windows firewall).

[ March 21, 2005, 01:42 PM: Message edited by: Rob Murray ]

[Richie]

I wouldn't be turning off the XP firewall... that's scarey

[Larry Thorne]

XP firewall bugs out the distributed firewall and pings it again and again making the connection slower (atleast that happened to me and my 2mb cable connection). If the Norton firewall works fine definetly turn off the Windows firewall. Solved many of my problems and I have not had or got a single virus so far. But as I am no xpert abot the norton program you might wanna check things out before paying too much attention to what I am saying

-LT

EDIT to Add. Dowloaded fromcmmods. didn´t find anything corrupted from those files atleast

[ March 21, 2005, 03:54 PM: Message edited by: Larry Thorne ]

[GreenAsJade]

Was this on arrival at CMMODs or when download a specific file? If the latter, which file?

I have various PCs and laptops with different firewall configurations, and none have every complained about CMMODs

GaJ.

[Malakovski]

Did your firewall give you an IP address for the threat? It's always possible that it was coincidental and not coming from CMMODS, especially if no one else is experiencing the problem. Comparing IPs might rule CMMODS out as the culprit entirely...

[Captain Pies]

IIRC on the Symantec support site for Norton Personal Firewall it specifically tells you to disable the XP firewall.

[Rob Murray]

This is what the alert report said, exactly:

Details: Rule "Default Netbus Trojan horse" blocked

(172.161.56.88,NetBus(12345)

Inbound TCP connection.

Local address, service is(172.161.56.88,NetBus(12345))

Remote address, service is (172.161.56.88,3110).

Process name is "N/A".

Norton alerted on both visits to CMMODS about 30 seconds to 1 minute after I'd logged in.

I'm not complaining about CMMODS. It's just that this has never happened before in all of my visits there.

[GreenAsJade]

172.161.56.88 is not CMMODS. From here that host appears to have a host name of ACA13858.ipt.aol.com

CMMODS is 64.233.222.42

A completely novice interpretation of this is that this other host is trying to attack you, maybe using your connection to CMMODs as the attack point.

It's really great that you've alerted us to this: it could have been (still could be?) something that we are all vulnerable to. However in this case it seems to be something picking on just you

GaJ.

[Rob Murray]

I just switched to Internet Explorer as my browser (from AOL) & went to CMMODS now, logged in & wasn't alerted. I "upgraded" to AOL 9.0a from 9.0 last week. I ended up having remove a bunch of "handy-dandy" useless crap that AOL had installed (ie. toolbar, music service downloader, etc.) You're not given the option of not installing what you don't want - everything on the disk is installed by default.

Let's just say that I'm not too pleased with AOL :mad: !

[Soddball]

Tee hee!

Mozilla Firefox is your friend. You can feel it calling. Come to Firefox.

[Malakovski]

Originally posted by GreenAsJade:

A completely novice interpretation of this is that this other host is trying to attack you, maybe using your connection to CMMODs as the attack point.

Yes, and probably no. If it didn't come from CMMODS IP, it didn't come from CMMODS, and although something is trying to get into your computer and cause trouble (possibly), your firewall is doing its job and you don't need to wory about that particular form of attack. It is probably just coincidence that he went to CMMODS at the moment the message appeared.

[GreenAsJade]

It was only the fact that this occured on two visits to CMMODs (and presumably no other time) that made me think this connection might be somehow connected with the attack.

OTOH, if CMMODs is the only place he goes (what else is there, apart from here?) then this is less of a strong connection

[tar]

Unless this is some sort of proxy feature or download accelerator that AOL is inserting into the pipeline. Since it seems you are an AOL subscriber and the origin of the connection attempt appears to be an AOL site, I would expect that it could be some sort of caching or proxy system.

[tar]

Or course, it could also be someone's compromised host with an AOL address that is trying to attack as well.

One of the joys of Mac ownership is a much, much smaller market share of the Malware market. [Knock wood]]

[Rob Murray]

Well as long as Norton is keeping whomever/whatever(?) out that's all that I care about. It has to be something to do with AOL because it's tried to attack several times now right after I've signed on. Now it's something called a UDP packet that they're trying to install. Fortunately Norton won't let them.

I know this isn't CM related but I thought I let people know what's going on (in case anyone else is using AOL as well). Ever since I "upgraded" to AOL 9.0a last week it's been nothing but trouble! :mad: I tried to contact their online "help" desk regarding this & got nowhere real fast. I don't think switching to Mozilla Firefox as a browser would do any good in my case as I have to use AOL to connect. Nice eh, being at war with an invisble enemy. I wish I could send something really nasty back!

[ March 24, 2005, 11:54 AM: Message edited by: Rob Murray ]

[Sanok]

Originally posted by Rob Murray:

so I turned off the Windows firewall).

Rob, how does one turn off the Windows XP firewall? I prefer to use something different. Thanks.

[junk2drive]

Go to start, then control panel, then Windows Firewall icon.

[ColumbusOHGamer]

Originally posted by Rob Murray:

Yesterday I went to CMMODS & Norton Antivirus alerted me to a threat. This the threat alert that I received "Default Block Netbus Trojan horse blocked". I was just there a few minutes ago & got the same warning. Has CMMODS been compromised? I asking because I'd like to know if anyone else has encountered this. I've got Norton Antivirus 2005 with all available updates & I'm using the Internet Worm Protection supplied with it as my firewall (apparently the built-in Windows XP Firewall & Norton's firewall don't "play together nicely" so I turned off the Windows firewall).

It's not cmmods.com. If I were a betting man, which I am, I'd say you already have the virus and Norton stopped it from connecting to a pirate website. My second guess would be some weird combo of spyware and virii... but I can promise it's not cmmods. My website is a Lotus Domino server running Red Hat Linux. There are no virii on Red Hat or Domino. Thanks.

COG

[Rob Murray]

I've scanned repeatedly with Norton ( using the highest Bloodhound settings & come up empty handed, ie. no threats detected ). I also use Stinger, Spybot S&D & Ad-Aware as well. I don't know what's going on. I wasn't trying to blame CMMODS. I just brought it up as it had never happened before.

[dieseltaylor]

I have steered clear of AOL since the nasties of there own system a decade ago. I tend to think of AOL as the " happy ground" for noobies and if I was of the mind to hack I would go after them. I find it hard to believe the way they [aol] market that it does not have a high percentage of the innocent..

[Rob Murray]

The only reason that I've stayed with AOL this long (2 1/2 years) is the price ($18.50/month - unlimited). I'm well aware of how sh**ty their service is. I'd switch to cable but I'm saving my pennies for some more RAM (I have 512 now & I want to get another 256 stick).