Few days ago I had problems with the sites I am playing. The reason of the problems was a vulnerability in the Firefox not in Windows so it was a little bit harder to find and understand.
So,  Thunderbird was so kind to allow download of a malware. It is added by the W32/Zotob-I worm. This infection, when started, it connects to a remote IRC server where it waits for commands to execute. I installed the TCP view from sysinternals.com and I have take a look at what is happening. My infection script start to open a lot of ports and listen to be connected to remote attacks. In one of this session, a ftp connection was up and some passwords was stolen. From here to have the sites modified was piece of cake.
To clean this issues I installed TCPView ( sysinternals ) which is a useful tool to see what connections are in use on the computer.

After I have installed Hijack This from TrendMicro.com to see what processes are starting at Windows boot. In the same time TrendMicro’s tool is able to clean the suspect entries and give explanations about every program started by the system.
The worst thing in all this adventure is that a site I am maintaining for a friend was down few times and this, you can imagine, is not a good vote for my expertise. Bellow is an example on how it looks the screen for this job in action.
Good Luck and  safe websites :)

SERVICES.EXE:712    TCP    192.168.2.2:2028    206.46.232.11:25    ESTABLISHED
SERVICES.EXE:712    TCP    192.168.2.2:2030    216.39.53.2:25    ESTABLISHED
SERVICES.EXE:712    TCP    192.168.2.2:2035    217.72.192.149:25    LAST_ACK
SERVICES.EXE:712    TCP    192.168.2.2:1830    216.18.67.184:25    FIN_WAIT2
SERVICES.EXE:712    TCP    192.168.2.2:2012    64.12.138.120:25    LAST_ACK
[System Process]:0    TCP    192.168.2.2:1996    61.9.0.187:25    TIME_WAIT

also useful

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

   
© 2012 Blogger Data Suffusion theme by Sayontan Sinha