Karnaaj -> (2/18/2003 4:47:38 AM)
|
Yes, folks, *nuke* Gator where possible. It's an open door into your system... when I had it installed as part of another software package (the full DiVX video codec) it was used (not by the Gator forlks, I assume) to drop in a "backdoor" program - which subsequently littered my drives with (first time) a VisualBasic virus and (second time) the Chernobyl virus. No third time. *ba-THOOOOOOOOM* No more Gator. No more backdoors. No more virii. Note also that this was on a piddly 56k dialup box. The backdoor in question allowed remote access in full, and one of the "features" was to use the infected machine for Distributed Denial of Service (DDoS) attacks - why yes, *your* machine was helping to bring down (attacked site). No wonder your connection was lagging then... ZoneAlarm was killed by said backdoor (another "feature"), else it would have seen the traffic. If you use ZA (or another software firewall) and it starts, then exits quickly, *run* do not walk to one of the antivirus databanks and look for info. H'wever, keep an eye on your blinky lights and spinning digits, and get a feel for "correct" - I first suspected oddness when, connected but with no applications running, my "connection" icon in the System Tray was dumping data full-speed. (And yes, I lagged like hell as well.) ZA was "broken" for unknown reasons, and so I glommed a couple different programs off TuCows for examining the running processes and the traffic. Then, once I found something I couldn't ID, I did a websearch... ZA is decent software, in my opinion, but it *will* catch stuff that isn't really intrusions - the "pings" when using WinMX (peer-to-peer) for one. It also doesn't *explain* what the attempts are: I had to dig around the Web and ask someone to find out that the 500+ attempts to connect (in 20 minutes ) were HalfLife (first-person shooter) clients looking for a server. (I guess whoever had been using my IP before I dialed in that time was running a game server.) I've not looked up the "UDP/TCP port 2405" that has hit eight times since I connected today, but I might... can't *hurt*. A lot of this stuff is automatic, tho. Either someone is deliberately running the software, looking for vulnerabilities... or the software is sniffing around on its own hook, possibly from an infected machine. Even if you rip out the backdoor or whatever, if it has communicated "infected here" to another machine, that IP is in the database. It doesn't mean you're extra-vulnerable (unless you've not killed your infection), but the brainless software will still try to connect to the dearly departed. "Yo! Wake up d00d, it's time to hax0r Amazon!" Think of it as spam strictly for computers... your system will ignore it unless re-infected. (And it's kinda neat to watch the connection attempts on ZA - hopefully, the rat bastard trying to do evil is being *very* frustrated.) Ah well. Enough turning your hair white for the nonce...
|
|
|
|