Security Basics: Re: New
Trojan?
Have you checked for anything odd in the hosts file on your
computer?
There could be something in there that's causing the
redirection. By
the way, the real www.netidentity.com site
resolves to 216.10.106.149,
and going to the IP you gave shows
an almost exact copy of the
www.netidentity.com site except it's
missing "NetIdentityŽ is the
Registered Servicemark of
Mailbank.com, Inc." at the bottom. So
typing www.netidentity.com
into your browser gives you the fake site,
correct?
I am, however, at a loss to explain why Firefox would redirect to
the
page as well, by default Firefox doesn't go to any special
search page
if you mistype a URL. Let's see what other people
think...
I'll let you know if I think of anything else.
On Mon, 28 Jun 2004 15:14:38 -0400, Jeff
<jeff_at_not_a_real_address.com> wrote:
>
> PLEASE READ
... I feel violated and need much help, if not for
> the PC, for my nerves.
>
> The PC is a
WinXP box, fully patched, routinely checked with
> Spybot 1.3 and AdAware 6. I run SpywareBlaster
as well. I also
> use Thunderbird
0.6 and Firefox 0.8. All other family members
> run Thunderbird on this box. IE6 has not bee
removed but is
> fully patched.
>
>
Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> is running. (I purposely purchased
the licenses at work for
> our home
users also so that they WOULD stay up to date -- a
> practice I learned from Sprint a long, long
time ago.)
>
> I use a Netgear FVS318 to interface to my
Verizon DSL account.
>
> The events as they happened.
>
> 1. My son
read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took
him, nor
> does he remember if he
used IE6 or Firefox.
>
> 2. Long screaming session about things TO do
and things NOT
> to do while on the
internet. 278th time. Disabled his account.
>
> 3. Mis-typing
a URL will now take me automatically to
> www.netidentity.com with the mistaken URL
clearly
> identified inside.
Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I
leave IE6
> alone because I use it
when I absolutely must go to some
>
bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use
Firefox.
>
> URLs that caused this include: mapblast,
mapquest, abc, def
> ... through
xyz.
>
> Please note: I had typed "mapblast" but had hit
Enter rather
> than Ctrl-Enter, by
mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then
transformed to http://mapblast/
>
>
4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was
scanned. Nothing found.
>
> ** My immediate thought was that
Network Solutions was up to thier
>
** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house
eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP
address being used
> to access
www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still
there though, just
> looking sad.
Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
>
6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP
addresses or domain names in the
>
registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my
network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use
the Netgear box.
> Put 4 different
DNS servers in -- still get that stupid site.
>
> 8. That was
all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
>
ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on
is driving me insane.
>
> So while I <ahem> work this afternoon, I
thought I would see if any
> of this
sounds, smells or <insert fav sense here) like anything that
> anyone has seen before!
>
>
Jeff
>
>
---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec
Institute. Mention this ad and get $545 off
> any course! All of our class sizes are
guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one
of our expert instructors.
> Attend
a course taught by an expert instructor with years of in-the-field
> pen testing experience in our
state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the
security of your organization.
>
Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
----------------------------------------------------------------------------
>
>
--
Brian Lund
PGP Key ID: A18C0BA8 (1024/2048 | DSA/ELG)
PGP Fingerprint: F358 F84F 0219 5F2D 66BC C416 7BA8 7925 A18C 0BA8
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
|
Intro