Author Topic: What's going on with the DB server?  (Read 16600 times)

Offline goffrie

  • Bot Builder
  • **
  • Posts: 65
    • View Profile
What's going on with the DB server?
« Reply #15 on: May 10, 2008, 09:12:07 AM »
That's not BitTorrent, then. You probably got that from somewhere else.

Offline Numsgil

  • Administrator
  • Bot God
  • *****
  • Posts: 7742
    • View Profile
What's going on with the DB server?
« Reply #16 on: May 10, 2008, 01:44:21 PM »
I've used the official bittorrent client before.  There were all sorts of problems, but nothing restarting the computer didn't fix (it apparently had a memory leak that eventually had it using gigs of RAM, etc. etc.)

Go to start->run and type in msconfig.  Go to the last tab and uncheck everything you see.  Restart your computer, and go back to start->run and type in msconfig again.  If any of the items are checked again, you probably have some malware.  If you don't, and you're not getting any weird access anymore, then you probably had something doing something weird, but you've managed to turn it off.  Go back down the list of things you turned off in msconfig and see if you can find anything you don't recognize and post them here.

If after turning off all the startup things you're still getting weird accesses, then you're either not dealing with any malware at all, or you're dealing with one that isn't too stupid (most are pretty stupid).

Offline Testlund

  • Bot God
  • *****
  • Posts: 1574
    • View Profile
What's going on with the DB server?
« Reply #17 on: May 10, 2008, 02:28:09 PM »
I did what you suggests. I didn't see anything on the autostart or service tab I didn't recognise. Still I disabled most of them, but the ones I need for sound, graphic, OP and security software. My computer still tries access through those ports with strange letters; nbname(137)), Ms-ds(445)), nbsess(139)) etc. Whatever it is it's hooked deep in the system. It says it's UDP incoming but it comes from my IP address.
The internet is corrupt and controlled by criminally minded people.

Offline Numsgil

  • Administrator
  • Bot God
  • *****
  • Posts: 7742
    • View Profile
What's going on with the DB server?
« Reply #18 on: May 10, 2008, 02:36:23 PM »
Your IP address on the local network (ie: 192.168.x.x) or on the internet (ie: something else)?

Offline Testlund

  • Bot God
  • *****
  • Posts: 1574
    • View Profile
What's going on with the DB server?
« Reply #19 on: May 10, 2008, 03:18:36 PM »
It's my borrowed Ip, for my Internet adaptor. I have dynamic IP. It's not from the DHCP or DNS servers.

The IP you typed above is not from me. I don't recognise it.
« Last Edit: May 10, 2008, 03:20:10 PM by Testlund »
The internet is corrupt and controlled by criminally minded people.

Offline Peter

  • Bot God
  • *****
  • Posts: 1177
    • View Profile
What's going on with the DB server?
« Reply #20 on: May 10, 2008, 03:44:17 PM »
Quote
I did what you suggests. I didn't see anything on the autostart or service tab I didn't recognise. Still I disabled most of them, but the ones I need for sound, graphic, OP and security software. My computer still tries access through those ports with strange letters; nbname(137)), Ms-ds(445)), nbsess(139)) etc. Whatever it is it's hooked deep in the system. It says it's UDP incoming but it comes from my IP address.
The strange letters are names for the ports. The commonly used ports have names, most don't . Try disconnectiong a network cable. Look if it still tries to get acces. If so disable everything in msconfig in the one tab before the last, well and the last too. Security is then not starting up, you would have to manually start up your firewall to see if there is something that tries to get acess, and in that case don't have acess to internet, this is a waste of time if there isn't a try of connection if the connection cable is loos.
If you can find ip's of the computers there is acess to, well post them or try to verify them yourself. You could post a security log too.

Quote from: Testlund
It's my borrowed Ip, for my Internet adaptor. I have dynamic IP. It's not from the DHCP or DNS servers.

Quote
The IP you typed above is not from me. I don't recognise it.
It are ip addresses often/anytime used for internal networks, so you get them if you get a router.

Edit
Oh yeah the port names, what do they mean.

nbname, nbsess : ports used by netbios. This is used for in an LAN. (so, do you use a router?)

ms-ds, MicroSoft Directory Sharing. Speaks for itself.

If you are not sharing files and/or using a router. Then there is somebody for sure trying to get access to your possible not (existing) network. And to your files.

Edit2
(wait, it came from your computer right. Sounds like a botnet.)
« Last Edit: May 10, 2008, 03:54:08 PM by Peter »
Oh my god, who the hell cares.

Offline Testlund

  • Bot God
  • *****
  • Posts: 1574
    • View Profile
What's going on with the DB server?
« Reply #21 on: May 10, 2008, 04:49:43 PM »
I should probably research this some more, but what you're saying is interesting. It could be the malware is just trying different ways to access, one way in case I COULD be on a LAN with a router. I'm not though. Just one computer connected through an ADSL modem. My ISP might be a little like a router with a LAN network. I don't know.
I don't have any file sharing active. I even uninstalled the hidden 'WebFldrs XP' program. If it still tries to do file sharing smells like malware to me. Maybe that's how BitTorrent works. Ones you've installed it it will continue to do file sharing forever wether you like it or not, until you format the hard drive!
The internet is corrupt and controlled by criminally minded people.

Offline Numsgil

  • Administrator
  • Bot God
  • *****
  • Posts: 7742
    • View Profile
What's going on with the DB server?
« Reply #22 on: May 11, 2008, 01:33:46 AM »
The bittorrent client is opensource, IIRC, or at least used by a lot of people.  A lot of people who use it to download games to get around the copy protections.  Meaning they're the sort of people who don't like programs doing sneaky things behind the scenes, and they're smart enough to catch it and connected enough to make sure everyone else knows, too.  It's just not the primary culprit here if you uninstalled it.  You might have installed something else by accident with the client, but if your virus checker and something like ad-aware don't find anything on your hard drive, then you would have to have something very new, and pretty smart to hide itself well enough that you can't find it.  Which is possible, but I don't think it should be the first assumption you jump to.

In msconfig, turn off everything (yes, everything.  Even the virus protection, firewalls, everything), unplug yourself from the internet entirely (so it won't matter if you're unprotected for 5 minutes because it's impossible for anything to enter or leave your computer), and then restart windows.  Then load up only what you need to see if you're still getting weird firewall things.  That will give you a good base point to start from.  If you're not, then you know it's something you unchecked.  You can check one thing, restart windows, and continue like that (still unconnected from the internet), until you find the culprit.

If it still is doing weird things, double check your msconfig start up tab.  If something that you unchecked has checked itself, that's suspicous.  Double check that it is what you think it is (it's possible something has attached itself in to that program's exe).  If they're still all unchecked, then it's either Windows itself acting weird or a smart and new trojan/adware/virus/etc.  Which either way might be a good time to reinstall or switch to another partition or something.
« Last Edit: May 11, 2008, 01:37:52 AM by Numsgil »

Offline Testlund

  • Bot God
  • *****
  • Posts: 1574
    • View Profile
What's going on with the DB server?
« Reply #23 on: May 11, 2008, 05:25:04 AM »
I decided to uncheck everything I don't need regularly. If this is hooked into something I need to have running than there is no other option than a complete uninstall, so no point in disabling it just to see if it's one of those. This access try is done about every 25 minutes through the ports I mensioned above. No harm done, because my firewall blocks whatever it's trying to do, and it doesn't seem to cause system instability.

Alright, this is what I think it's all about:
When you install BitTorrent you also install a server client called BTDNA. This client will always run in the background nomatter if you quit BitTorrent or not. Your computer will be a permanent file server after this. If you uninstall this though it should probably stop. I'm not absolutely sure about that though. These access tries I'm talking about happend AFTER the install of BitTorrent. Maybe some hacker was lucky to get into my system through BitTorrent just for the few minutes I was downloading the file. I don't know. The fact remains that immediately under the install process of BitTorrent there were lots of UNUSUAL popup warnings from my firewall.
Most people may not care if files are getting uploaded/downloaded after install of BitTorrent, even if they quit the program, especially if they keep sharing files a lot anyway, but I don't like it when I can't control WHEN a P2P client is running. The longer you keep running a file sharing application, having ports open for it, the higher the risk some hacker gets through.
I just think BitTorrent is risky business and that's all I'm going to say about it. That's my opinion.
 
The internet is corrupt and controlled by criminally minded people.

Offline goffrie

  • Bot Builder
  • **
  • Posts: 65
    • View Profile
What's going on with the DB server?
« Reply #24 on: May 11, 2008, 10:41:31 AM »
BitTorrent, by itself, is not risky business unless someone tampered with your executable. (Illegally downloaded programs, though, are.) BTDNA is a seperate program installed with BitTorrent - http://www.bittorrent.com/dna/ - and is uninstalled seperately, from what I've heard ( http://forum.bittorrent.com/viewtopic.php?id=663 ). You are right though, it does act as a file server for the BitTorrent network, just not permanently. Nothing is permanent, you know  Anyways, if you don't want to deal with the official client, there are lots of others, like Azureus and uTorrent.

Offline Peter

  • Bot God
  • *****
  • Posts: 1177
    • View Profile
What's going on with the DB server?
« Reply #25 on: May 11, 2008, 11:02:20 AM »
Quote from: Testlund
I decided to uncheck everything I don't need regularly. If this is hooked into something I need to have running than there is no other option than a complete uninstall, so no point in disabling it just to see if it's one of those. This access try is done about every 25 minutes through the ports I mensioned above. No harm done, because my firewall blocks whatever it's trying to do, and it doesn't seem to cause system instability.

Alright, this is what I think it's all about:
When you install BitTorrent you also install a server client called BTDNA. This client will always run in the background nomatter if you quit BitTorrent or not. Your computer will be a permanent file server after this. If you uninstall this though it should probably stop. I'm not absolutely sure about that though. These access tries I'm talking about happend AFTER the install of BitTorrent. Maybe some hacker was lucky to get into my system through BitTorrent just for the few minutes I was downloading the file. I don't know. The fact remains that immediately under the install process of BitTorrent there were lots of UNUSUAL popup warnings from my firewall.
Most people may not care if files are getting uploaded/downloaded after install of BitTorrent, even if they quit the program, especially if they keep sharing files a lot anyway, but I don't like it when I can't control WHEN a P2P client is running. The longer you keep running a file sharing application, having ports open for it, the higher the risk some hacker gets through.
I just think BitTorrent is risky business and that's all I'm going to say about it. That's my opinion.
 

Well if it is BTDNA, a part of BT. You should be able to remove it.
Look into the add/remove programs in windows, and look there for DNA/bittorent. Something that looks like it.
You should be able to disable the startup of it in msconfig, I think?

Can you find this program in taskmanager?
I don't know what it is called in Sweden, so the eh, ctrl-alt-delete screen. Can you find the program somewhere there?

BTDNA, should NOT be running if you have disabled it in msconfig, if it isn't somewhere in msconfig and it will start up. Shame on BitTorent.

I haven't used bittorent anyway, I was lazy and I just used the inbuilted client in the opera-webbrowser. There it is as simple as clicking onto a file, and it would download as if it was just a normal download.
Oh my god, who the hell cares.

Offline Testlund

  • Bot God
  • *****
  • Posts: 1574
    • View Profile
What's going on with the DB server?
« Reply #26 on: May 11, 2008, 12:20:15 PM »
Yes, I had no problem uninstalling it. It just took a little while before I found out it was not BitTorrent that was doing the job, it was BTDNA. BitTorrent is just a gui for managing the downloads. I don't know what BTDNA is doing all the time once you've downloaded a file. Probably just keep sharing that file or maybe other files gets passed through your computer, pretty much like a spam bot.
The internet is corrupt and controlled by criminally minded people.

Offline Peter

  • Bot God
  • *****
  • Posts: 1177
    • View Profile
What's going on with the DB server?
« Reply #27 on: May 11, 2008, 12:30:05 PM »
So, is the problem fixed, or are there still troubles.

Oh my god, who the hell cares.

Offline Numsgil

  • Administrator
  • Bot God
  • *****
  • Posts: 7742
    • View Profile
What's going on with the DB server?
« Reply #28 on: May 11, 2008, 03:43:12 PM »
Did you run the uninstaller?  I find it odd that bittorrent's GUI would uninstall, but leave the core program running.

My guess is that the core program was probably just updating the servers that direct traffic to say where you were and what files you were sharing.  And you can not get hackers in to your system just by running P2P software.  The people who designed the internet were smarter than that.

The issue is when you want users to log in to your system remotely, and you want to keep out people who aren't legitimate.  For instance, at work there's a way for people to submit code and access files from home.  It's through that same pathway that a hacker might try to breakthrough and access files and submit code, etc.  But the hacker can never do more than a legitimate user could.

Another example: windows has something called remote desktop.  It basically lets you connect to another windows computer through the internet.  I  have a small server farm I'm setting up, and I can turn on any of the computers, and log in to them, and run them just like I was there, on my desktop, even though my actual computers are in another room.  In theory if someone were to figure out my password (brute forcing it or using a dictionary attack wouldn't work.  Most passwords are found either because people write them down, throw them away, and the hacker digs through the corporate garbage, or the hacker is the one who set up the network and knows some back door password, or something like that), and they were on my LAN, they could gain control of these computers like they were sitting down in front of them.

However, my router does not allow incoming traffic from the internet to access the ports you need for remote desktop.  So it is impossible for anyone to get at these computers from the internet unless they can first hack my router.  But my router specifically does not allow incoming traffic from the internet to access its login page.  So it's physically impossible for someone to hack my computers through the internet.

However, my router is wireless, and I haven't set up a password for it (because I'm lazy), so in theory someone could get within 50 feet of my house, use my wireless router to connect to my Lan, and then somehow figure out my password, and log in to these spare computers.  But that's the only physically possible way, because I'm specifically not allowing incomming traffic from the internet to access the stuff it needs to hack my computer.

If you just have a vanilla install of XP, fresh out of the box, with no fixes, and hook it up to the internet, you won't get hacked.  Hacking can only occur if you, the user, install or run an executable on your computer.  Either something involving outlook or word macros, an installation package, batch files, etc. etc.  Or if you the user specifically set your computer up to be accessible from the internet.  And even then someone has to figure out your password, and if you make it 8 letters or longer, and mix lower and upper case with some numbers, it becomes impossible*.

* at the present time.  Most systems rely on a mathematical fact that it's hard to factor large numbers.  If that ever becomes easy, pretty much all existing protection schemes become trivial to break.  Of course, you still have to have your computer set up for remote access.

Offline Testlund

  • Bot God
  • *****
  • Posts: 1574
    • View Profile
What's going on with the DB server?
« Reply #29 on: May 11, 2008, 05:45:08 PM »
I agree with what you're saying Nums. That's pretty much how I think it works, but sometimes it seems hackers gets into computers too easy. I'm no expert in this so I don't know exactly how they do it, I just know where the risks lie. There is a reason why you need a firewall with stealth ports for instance. Just for somebody knowing your computer exists may be enough to find a way in. I've read about how they can get access through Windows services for instance. Just read what it says in all those security fixes you're downloading from Microsoft, where it says a hacker can get control of your computer through this vulnerability. Maybe they need my administrator password to do it, I don't know. It doesn't say.
Just visiting a web page may be enough to get a backdoor installed that imediately gives access to the computer.
Now I forgot my sandwishes in the owen just because I had to write this. Right after I felt the strong smell the fire alarm started beeping. I'm glad I don't have sprinklers.  
« Last Edit: May 11, 2008, 05:46:49 PM by Testlund »
The internet is corrupt and controlled by criminally minded people.