[Dshield] New info on "Which Malware caused my home PC to send SPAM?"

Remo.Cornali@rcs.it Remo.Cornali at rcs.it
Thu Nov 27 12:48:55 GMT 2003


Hello, List,
I forgot to say that on the portable I have ZoneAlarm + VisualZone.
Today ZoneAlarm requested permission for FreeZone to send Mail.
Permission negated.
In the full FreeProxy Log I found:
---------------------------------------------------------------------------
Thu 27 Nov 2003 08:58:11 : #1004: Trace:  Dumping 60 bytes
Thread  2572: From client to server
00000: 43 4F 4E 4E 45 43 54 20 32 30 30 2E 36 31 2E 31    CONNECT 200.61.1
00016: 30 2E 32 35 30 3A 32 35 20 48 54 54 50 2F 31 2E    0.250:25 HTTP/1.
00032: 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 79    0..User-Agent: y
00048: 61 70 68 2D 30 2E 39 31 0D 0A 0D 0A                aph-0.91....
Thu 27 Nov 2003 08:58:11 : #1013: Access Report:  Instance:'Internet'
Protocol:'
HTTP Proxy' Access:'Default   ' Client IP:'200.63.130.137'
User:'FPDOMAIN/Defaul
tUser' Resource Type:'HTTP Proxy Service' Resource:'Service'
Thu 27 Nov 2003 08:58:11 : #1013: Access Report:  Instance:'Internet'
Protocol:'
HTTP Proxy' Access:'Default   ' Client IP:'200.63.130.137'
User:'FPDOMAIN/Defaul
tUser' Resource Type:'URI or Path' Resource:'200.61.10.250:25'
Thu 27 Nov 2003 08:58:11 : #1013: Access Report:  Instance:'Internet'
Protocol:'
HTTP Proxy' Access:'Default   ' Client IP:'200.63.130.137'
User:'FPDOMAIN/Defaul
tUser' Resource Type:'Tunnel via HTTP' Resource:'25'
Thu 27 Nov 2003 11:21:15 : #10035: WSAEWOULDBLOCK: Resource temporarily
unavaila
ble.  Function: closesocket()
---------------------------------------------------------------------------
The same type of entries as I had previously, plus:
"User-Agent: yaph"
Googling for Yaph, I found, quote:
Yaph provides ability to reveal public proxy servers.
It can search&validate socks v4 , socks v5 and http (connect method) proxy
servers.
HTTP proxy servers are checked for CONNECT method only.
Validated proxy server is public proxy that can be used for tcp tunneling.
While using tcp tunneling your IP address stays private.
Unquote.
So, if this is really yaph, (and the name is not spoofed) it appears it
found the http proxy port 8080,
opened on the portable by FreeProxy.
But his puzzles me: the LAN to my home PC is on the 192.168 net, in the
ZoneAlarm Trusted Zone,
and so the 8080 port is accessible from the LAN. But 8080 should not be
accessible from the Internet Zone.
Running  a  ShieldsUP test on 8080 I get:
----------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2003-11-27 at 11:22:26
Results from probe of port: 8080

    0 Ports Open
    0 Ports Closed
    1 Ports Stealth
---------------------
    1 Ports Tested
THE PORT tested was found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.
----------------------------------------------------------------------

So how did yaph (or whatever) apparently bypass ZoneAlarm?
If that is what happened, the home PC would not be involved.
That's good news.
Now the bad news.
Also in the full FreeProxy Log there is:
Thu 27 Nov 2003 01:04:13 : #1004: Trace:  Dumping 42 bytes
Thread  2712: From client to server
00000: 43 4F 4E 4E 45 43 54 20 69 72 63 2E 65 64 69 73    CONNECT irc.edis
00016: 6F 6E 74 65 6C 2E 69 74 3A 36 36 36 37 20 48 54    ontel.it:6667 HT
00032: 54 50 2F 31 2E 30 0D 0A 0D 0A                      TP/1.0....
Thu 27 Nov 2003 01:04:14 : #1004: Trace:  Thread  2712: Dumping 14 bytes
Thu 27 Nov 2003 01:04:13  Thread 2712. From Client irc.edisontel.it:6667 to
Server 80.180.140.121:8080 Skt=328
00000: 4E 49 43 4B 20 72 68 6C 76 78 6A 6D 61 0A          NICK rhlvxjma.
Thu 27 Nov 2003 01:04:15 : #1004: Trace:  Thread  2712: Dumping 45 bytes
Thu 27 Nov 2003 01:04:13  Thread 2712. From Client irc.edisontel.it:6667 to
Server 80.180.140.121:8080 Skt=328
00000: 55 53 45 52 20 63 76 76 76 73 77 67 68 20 30 20    USER cvvvswgh 0
00016: 30 20 3A 69 73 76 76 66 5D 66 5F 0A 4D 4F 44 45    0 :isvvf]f_.MODE
00032: 20 72 68 6C 76 78 6A 6D 61 20 2B 69 0A              rhlvxjma +i.
Thu 27 Nov 2003 01:04:15 : #1004: Trace:  Dumping 42 bytes
Thread  2572: From client to server
00000: 43 4F 4E 4E 45 43 54 20 69 72 63 2E 65 64 69 73    CONNECT irc.edis
00016: 6F 6E 74 65 6C 2E 69 74 3A 36 36 36 37 20 48 54    ontel.it:6667 HT
00032: 54 50 2F 31 2E 30 0D 0A 0D 0A                      TP/1.0....
Thu 27 Nov 2003 01:04:16 : #1004: Trace:  Thread  2572: Dumping 14 bytes
Thu 27 Nov 2003 01:04:15  Thread 2572. From Client irc.edisontel.it:6667 to
Server 80.180.140.121:8080 Skt=416
00000: 4E 49 43 4B 20 78 69 72 73 75 70 79 5D 0A          NICK xirsupy].
Thu 27 Nov 2003 01:04:17 : #1004: Trace:  Thread  2572: Dumping 45 bytes
Thu 27 Nov 2003 01:04:15  Thread 2572. From Client irc.edisontel.it:6667 to
Server 80.180.140.121:8080 Skt=416
00000: 55 53 45 52 20 70 67 6E 61 70 7A 62 72 20 30 20    USER pgnapzbr 0
00016: 30 20 3A 71 6F 69 5F 5B 70 64 5B 0A 4D 4F 44 45    0 :qoi_[pd[.MODE
00032: 20 78 69 72 73 75 70 79 5D 20 2B 69 0A              xirsupy] +i.

Do I have an IRC Server on the portable?

Thanks beforehand,

Remo Cornali
Milano, Italy





More information about the list mailing list