Help on TELNET being used to send mail, possibly SPAM & also rundll purposes etc.
livelife06360 said:
Hi guys,
need some help here.
OK, here goes then:
livelife06360 said:
It seems like some changes were amde to my Mcafee and when I looked at the recent event, the following looked suspicious.
- Systemguard has allowed one time change to your computer. Rule type = registry, process=c:\windows\system32\rundll32.exe, process description=run dll as an app. DOES THIS MEAN THAT SOMEBODY PHYSICALLY CHANGED SOMETHING ON MY COMPUTER SO THAT THEY CAN REMOTELY ACCESS IT.
Well, on this first one, typically, rundll32.exe is used to call functions from "dynamic link libraries" (they end in .DLL), & this can be the std. ones in the Operating System + Programs you use, OR, malicious ones as well.
A good way to think of DLL's is, they are programs that cannot launch themselves, but, instead, allow other programs to load & use portions of them (functions) into their OWN memory section, for code reuse of proven working functions (no need to reinvent the wheel, hence the term "API" (applications programming interface, which all the Win32 API is, for instance, is a set of functions from DLL's really))
(This really depends on the commandline used, w/ rundll32.exe program... & the functions actually called too, as well as the library name... get me that? I can tell you a LOT more!)
So, this can be "benign", or malicious... I'd have to see more, like something from the inside of say, msconfig.exe... & a commandline there, that uses the rundll32.exe tool!
For instance? Nvidia vidcards have commandlines for their stuff, that you can see using msconfig.exe (so, they're NOT ALL BAD, if rundll32.exe is concerned, for instance).
E.G.-> RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
----
livelife06360 said:
[*]Worm Stopper detected email activity, Process=C:\windows\system32\telnet.exe, Process description=Microsoft Telnet client, allowed=yes. DOES THIS MEAN THAT SOMEBODY TELNETTED INTO MY COMPUTER.
livelife06360 said:
Do I need to worry about the above mentioned items. What do I need to do if it is not safe to use my computer.
Thanks
Usman
Ok, on THIS one? You CAN, technically & not just 'theoretically', send mail via telnet (mail servers have a pretty simple commandset, like HELO & other commands), this being an example:
(MAN! This? This is some "old school ****e", if you catch my drift, but here goes an example):
---------------------------------------------------------------
Example - How do I send faked/spoofed mail, via TELNET?
Telnet to port 25 of the machine you want the mail to appear to originate from. Enter your message as in this example:
HELO pcreview.co.uk
MAIL FROM: (e-mail address removed)
RCPT TO: (e-mail address removed)
DATA
YOU HAVE BEEN OWNED & ARE NOW MY SLAVE, SENDING MAILS FOR ME FOR SPAM
.
QUIT
---------------------------------------------------------------
(HOWEVER - On systems that have RFC 931 implemented, spoofing your "MAIL FROM:" line will not work. Test by sending yourself fakemail first. For more information read RFC 822 "Standard for the format of ARPA Internet text messages.")
----
& There ya are... I would worry about the TELNET one more, because odds are, I can see a hacker/cracker/malware in general maker (especially SPAM MAILERS) using a system that way. Heh, IF this is the case?
He ( "the attacker", assuming there IS actually one here) is an "OLD SCHOOLER" for sure...
APK
P.S.=> Correct me IF I am wrong, but... isn't TELNET gone from VISTA? I don't use VISTA myself, but for SOME reason, this is "ringing a bell here", etc. et al... EDITING - ok, "non-sequitur" on my part (user asking for help here is on XP, so this probably applies on the TELNET stuff)... apk
