Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Govt of Quebec pirating my data?


  • Please log in to reply
11 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:47 PM

Posted 22 June 2005 - 08:12 PM

While Zone Alarm isn't watching...
for three days in a row, the first activity my Linksys router log reports in the OUTGOING tab is
Dest: 192.168.1.100:1045 or 1046 or 1048 or 1053
to Dest_Port(?), an IP address such as 142.82.218.134, where last 3 digits vary - 134, 142, 136. All port 80. I can't quite square the log headings with the information I see.

So I checked
http://www.senderbase.org/search?searchString=142.82.218.142
The display is:

Network Owner:  Gouvernement du Quebec - MSSS
Registered on:  1990-03-26
Updated on:  1990-03-26
Expires on:  unknown
Netblock(s):  142.80.0.0/14    142.84.0.0/15   
[Querying whois.arin.net]
[Error writing to cache]
[whois.arin.net]

OrgName: Gouvernement du Quebec - MSSS
OrgID: GDQM
Address: 930, chemin Ste-Foy, 6th floor
City: Quebec
StateProv: QC
PostalCode: G1S-2L4
Country: CA

NetRange: 142.80.0.0 - 142.85.255.255
CIDR: 142.80.0.0/14, 142.84.0.0/15
NetName: GOUVERNEMENT-DU-QUEBEC-MSSS-RTSS
NetHandle: NET-142-80-0-0-1
Parent: NET-142-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RTSS.QC.CA
NameServer: DNS2.RTSS.QC.CA
NameServer: DNS3.RTSS.QC.CA
Comment:
RegDate: 1990-03-26
Updated: 2004-10-25

OrgTechHandle: IPMAN7-ARIN
OrgTechName: ipmanager
OrgTechPhone: +1-418-527-5211
OrgTechEmail: ipmanager@ssss.gouv.qc.ca 

What's going on? More importantly, is my computer sending, to some hacker there, my information?
Yesterday it took forever to boot up, and by the time I could see anything, there were several dozen of these sends :thumbsup: .
Finally it all stops after Zone Alarm kicks in. It bothers me.

BC AdBot (Login to Remove)

 


m

#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:04:47 PM

Posted 23 June 2005 - 08:25 AM

Its more likely your computer is being used as a zombie. You may have some type of a bot or trojan. Do your virus scans reveal anything?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:47 PM

Posted 23 June 2005 - 09:26 AM

Leurgy, that's exactly what I worry about.
Not that I know exactly what you mean, other than a trojan sitting there and doing whatever it pleases, right? Even before I log in, or before ZA gets in the way (maybe)????

Ironically, yesterday, Zone Alarm scanned for 20 minutes some 123000 files, came out clean.
Two days ago I ran Ad-Aware and Search&Destroy, they came out clean as well.
I will rerun those two tonight again.
I have HJT instructions, might do that if you think it applies. I actually ran HJT a while back as a benchmark of sorts, so I might try to compare.

What do I do now :thumbsup:

PS: Leurgy, could you please edit the title in my post. That K at the end is embarassing :flowers:

Edited by tos226, 23 June 2005 - 09:29 AM.


#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:04:47 PM

Posted 23 June 2005 - 09:45 AM

Some trojans and bots use other computers as relays to hide their actual source or to run commands through. I recently cleaned a bot from a computer that was sending out 2000 requests a minute trying to find unprotected computers to infect to do the same thing. It reported back to a specific IRC channel where whoever was running the bot could issue commands to the infected computers.

Try running a trojan specific program. I like a-squared. Anti-virus and anti-spyware programs aren't very good at picking up on trojans.

By all means, compare your hijack logs.

Title editted. :thumbsup:

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:47 PM

Posted 23 June 2005 - 10:04 AM

Thanks again!
I have one more question before phase 2 tonight. Would it make sense to disconnect the internet cable when I power up the computer so that it would not be doing weird things before ZA starts up, or is that irrelevant? I can easily pull the plug since I use a laptop.

Edited by tos226, 23 June 2005 - 10:05 AM.


#6 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:04:47 PM

Posted 23 June 2005 - 10:15 AM

That won't do any harm. I would unplug the modem though, instead of hot swapping the cable (assuming you are using hi-speed). If these commands or requests are getting out before ZA loads you could defeat that. Although the harm has probably been done.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#7 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:47 PM

Posted 23 June 2005 - 12:13 PM

Although the harm has probably been done.

Thanks for the encouraging news, Leurgy :thumbsup: :flowers:
Yup, it's DSL. I like your idea to unplug the modem.
I will likely ask for further follow up after tonight's checks.

#8 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:47 PM

Posted 24 June 2005 - 08:52 AM

A_squared (nice thing) reported one tracking cookie, to linksys.org.
Spybot reported a bunch of MRU files, histories, registry changes related to those, no significan threats, it said.

I ran HJT to check against December and early June HTJ logs.
Excel says that this log matches with three exceptions:
1. Toshiba pinger gained a /run switch (they updated something in the past few days)
2. I lost some driver since December, can't recall the name (random letters), all materials are at home :thumbsup:
3. Few things which used to run at startup aren't listed because I disabled them, stuff like MotiveSmartBridge.
The log has several suspicious looking lines as well as stuff I'd like to get rid of, but no change. Unfortunately, I have zero knowledge of HJT besides reading few descriptions of the categories, so I can only do the mechanics of comparison.

I still had a one-way conversation with Quebec for a while, also an incredible number of pings from several Chinese telecom companies.

Are there other diagnostics I should do over the weekend?

#9 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:04:47 PM

Posted 24 June 2005 - 02:55 PM

I'd suggest you post a HiJack This log for the team to look at and refer them to this thread.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#10 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:47 PM

Posted 25 June 2005 - 10:38 AM

Done
http://www.bleepingcomputer.com/forums/HJT...bec-t22670.html

Thank you, Leurgy :thumbsup:

#11 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:04:47 PM

Posted 25 June 2005 - 11:37 AM

Your welcome tos226.

I had a quick look at your log and it seems you do have a nasty there. Not to worry. The HJT team will help you out.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#12 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:47 PM

Posted 26 June 2005 - 03:43 PM

Leurgy, thanks once more :thumbsup: .

OldTimer was superfast, spent time checking this and other two very looooong logs, and I see he thinks things are clean. I'm interested in what you see. Please tell and we can square it with OldTimer.

So, this thread is close to being closed and I'll watch when it happens, something might click.
I wish I understood all these logs and how you guys go about it so I wouldn't waste your time ... but I don't. What would we do without you?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users