Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

grumbot infection


  • Please log in to reply
4 replies to this topic

#1 elbone

elbone

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 27 November 2012 - 11:59 AM

Could use some help finding which computer at our small business is infected. ISP has shut off service saying we have grumbot.

I have run Avast or Housecall on every computer but maybe I missed one. If there is a way to find the culprit I could take it off line and pacify the ISP.

Here is part of a recent report: x.x.x.x = my IP address
---
Attachment: text/plain
Category: abuse
Date: 2012-11-26T22:30:50Z
Report-ID: 0b2ae03a-f3d0-45d4-b064-dc7c8d911a70@abusix.com
Report-Type: grumbot-infection
Reported-From: no-reply@abusix.org
Schema-URL: http://www.x-arf.org/schema/abuse_grumbot-infection_0.1.0.json
Source: x.x.x.x
Source-Port: 53651
Source-Type: ipv4
User-Agent: abusix-reporter/1.0 (grumbot; x-arf)
Version: 0.1

x.x.x.x 51964 - - [26/Nov/2012:22:09:29 +0000] "POST /100/getcfg.php HTTP/1.1" 404 475 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)"
x.x.x.x 53651 - - [26/Nov/2012:22:30:50 +0000] "POST /100/getcfg.php HTTP/1.1" 404 475 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)"

---
Attachment: text/plain
Category: abuse
Date: 2012-11-26T22:44:06Z
Report-ID: 47ba7f1f-1389-4748-9426-5a3e50bf10d0@abusix.com
Report-Type: grumbot-infection
Reported-From: no-reply@abusix.org
Schema-URL: http://www.x-arf.org/schema/abuse_grumbot-infection_0.1.0.json
Source: x.x.x.x
Source-Port: 54885
Source-Type: ipv4
User-Agent: abusix-reporter/1.0 (grumbot; x-arf)
Version: 0.1

x.x.x.x 51455 - - [26/Nov/2012:22:03:37 +0000] "GET /spm/s_alive.php?id=56720752053927490840185329400082&tick=1841480964&ver=567&smtp=ok&sl=1&fw=0&pn=0&psr=0 HTTP/1.0" 404 495 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)"
x.x.x.x 51927 - - [26/Nov/2012:22:08:41 +0000] "GET /spm/s_alive.php?id=56720752053927490840185329400082&tick=1841785056&ver=567&smtp=ok&sl=1&fw=0&pn=0&psr=0 HTTP/1.0" 404 495 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)"
x.x.x.x 52185 - - [26/Nov/2012:22:13:46 +0000] "GET /spm/s_alive.php?id=56720752053927490840185329400082&tick=1842089523&ver=567&smtp=ok&sl=1&fw=0&pn=0&psr=0 HTTP/1.0" 404 495 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)"
---

BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:56 AM

Posted 27 November 2012 - 05:46 PM

:exclame: Company Computers

Since this is a company computer, you may need to obtain permission to carry out the steps I give to you. We will be making system-wide changes to this computer which may be against your company's IT policy. Such action may result in disciplinary action being taken against you. I must stress that I, in no way, accept liability for this or for any unforeseen eventuality as a result of the instructions I give you (including, but not limited to, data loss).

In addition, if your company has an IT support infrastructure I urge you to contact them to resolve your issue - it's what they're paid to do; whereas I volunteer.

In order to continue to receive my help I would like you to confirm that you have the authority to work on the PC and that you accept my conditions.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 elbone

elbone
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 28 November 2012 - 06:42 PM

Thanks for your offer dev00790. I am the IT department and part owner so I can do anything with the computers.
We scanned with TDSSKiller and did boot time scans with Avast on all desktops and found two pc's with rootkits. They are both being wiped and reinstalled.
Maybe the ISP will turn us back on tonight.
Is anything in the report above meaningful to you? I am concerned mainly with how to detect outgoing traffic that an ISP would consider to be port scanning.

#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:56 AM

Posted 28 November 2012 - 07:51 PM

Hi I will be away for upto 7 days. I'll be asking for a colleague to take over this topic.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:56 AM

Posted 01 December 2012 - 03:19 AM

Hello,
Because dev00790 is away this week I'll work with you from here.

An ISP has specific ways to detect botnet activity (based on addresses traffic is directed to for example).
A well-known bot net rootkit is mebroot/sinowal. Could you let me know what rootkit TDSSkiller had detected?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users