Darwinbots Forum

Bots and Simulations => Evolution and Internet Sharing Sims => Internet Mode Commentary => Topic started by: Testlund on May 09, 2008, 10:00:05 AM

Title: What's going on with the DB server?
Post by: Testlund on May 09, 2008, 10:00:05 AM
I've been getting all sorts of strangeness over here. DB freeze and unauthorized access logged in the firewall from the DB server IP, and 5 ours ago some ftp from a similar IP tried access to my computer?  
Title: What's going on with the DB server?
Post by: Testlund on May 09, 2008, 11:10:40 AM
I would also like to know if a program called 'WebFldrs XP' is needed for DB. It is a program I found as a HIDDEN install (doesn't show up in add/remove programs. It has to do with FTP sharing.
Title: What's going on with the DB server?
Post by: EricL on May 09, 2008, 11:16:13 AM
Server's working just fine.  The server will never initiate communicaiton to you.  I've never heard of the program you mention although XP has code for accessing "Web Folders" via the DAV protocol so it might be part of Windows.
Title: What's going on with the DB server?
Post by: Testlund on May 09, 2008, 12:52:08 PM
Well... I did the mistake of installing Bittorrent which I suspect started all sorts of nasties both inside and outside my computer. I have uninstalled it now and removed all associated files I could find. Still it appears someone has sniffed me out and tries a directed Denial of Service attack at me, coming from US.
It could have been some temporary glitch that caused my firewall to suddenly block access to DB. Usually it doesn't block anything I've allowed, unless that program's signature changes, or some strange behavior occur, like it tries to do another kind of access.
In any case it appears my own computer is also trying all sorts of accesses which my firewall blocks, like 'nbname, MS-ds, nbsess, http, snmp', which seems associated with my network card. I just hope I didn't get a rootkit installed or something.  
Title: What's going on with the DB server?
Post by: EricL on May 09, 2008, 12:53:53 PM
Sounds like a spam bot.  Better run some AV and anti-spyware stuff soon.
Title: What's going on with the DB server?
Post by: Testlund on May 09, 2008, 01:10:18 PM
DAMN! You think because of those names I mensioned in the log? I HAVE great antivirus and antispy installed already, but I'm aware it can only keep up with the most common malware out there. I guess I'm gonna have to reformat and install.   BAH! I get a bunch of fragmented packages too but I can't block those because it messes up the renewal of my IP. Yawn!
Title: What's going on with the DB server?
Post by: EricL on May 09, 2008, 01:14:24 PM
Just a guess.  If something like Windows Defender says you're clean, then you're probably fine.
Title: What's going on with the DB server?
Post by: Peter on May 09, 2008, 05:00:34 PM
Hmm, strange. It could be that the webfldrs xp is some kind of update or something like it.

There is a part of windows that uses it, and it is something you can kill.  

It sounds like this, Iám not completely sure.
 ''msiexec /x C:\Windows\System32\webfldrs.msi''


I would think you would be the last person that gets infected, you seem pretty serious obout system protection.


Probably you have got some program against malware, you could try testing with another one. Atleast it can´t do any harm.
If nothing, there is probably nothing.

I don´t know exactly what it means you´re getting. What program is there being blocked by your firewall.


Hiya, Iám back.

A housefire, a IPS where I had serious troubles with, kept me from wasting my time here.
Title: What's going on with the DB server?
Post by: Numsgil on May 09, 2008, 05:17:10 PM
Quote from: Peter
Hiya, Iám back.

A housefire, a IPS where I had serious troubles with, kept me from wasting my time here.

A house fire?  That's no excuse!  Maybe if aliens had come down and burned all of Europe off the face of the Earth, you might have an excuse.  

Welcome back
Title: What's going on with the DB server?
Post by: Peter on May 09, 2008, 05:47:47 PM
Quote from: Numsgil
Quote from: Peter
Hiya, Iám back.

A housefire, a IPS where I had serious troubles with, kept me from wasting my time here.

A house fire?  That's no excuse!  Maybe if aliens had come down and burned all of Europe off the face of the Earth, you might have an excuse.  

Welcome back
Well, probably I will not come much here in the coming weeks. It is these weeks day nice weather outside(that is´nt really normal in the netherlands , maybe I make take fotos of the sunny days), and I´ve got to finish an intern report.

Well, I am not afraid for aliens that destroy europe. The netherlands is too small to be hit anyway. But, wait you knew it lies in europe. Many other americans just think it is a part of mexico  .

Have you moved or something. I could remember something about you living in kentucky.
Title: What's going on with the DB server?
Post by: Numsgil on May 09, 2008, 05:50:54 PM
Yep, I moved to sunny California for a programming gig with a video game startup.
Title: What's going on with the DB server?
Post by: Testlund on May 09, 2008, 09:23:20 PM
Quote from: Peter
I would think you would be the last person that gets infected, you seem pretty serious obout system protection.

I needed something that was only available as a Bittorrent file, nothing illegal though. So I took my chances and opened a bag of worms called Bittorrent. I should have cared more about the warnings from my firewall, but I thought I would just give it a try and allow it temporary just to get this file, then I could uninstall it.
I suspect this client is malicious code by itself. The reason I believe that is that I was running under a user account, installed Bittorrent with administrator priviligies by right-clicking and chosing 'Run as...', and imediately I got lots of unusual firewall warnings and this spam bot or whatever got installed. Logically nothing should be able to get downloaded and installed in the system afterwards if it doesn't have administrator access. Bittorrent had though.
I also noticed that traffic continued to/from my computer even after quitting Bittorrent. I've seen that on other people's computers.
Your computer becomes a file server/spam deliverer which you have no control over after installing this program. Don't use it!
Title: What's going on with the DB server?
Post by: Trafalgar on May 09, 2008, 09:35:15 PM
Where did you get that Bittorrent client, which one was it? There are a many many different bittorrent clients.

Title: What's going on with the DB server?
Post by: goffrie on May 09, 2008, 10:00:27 PM
The official BitTorrent client (at http://www.bittorrent.com/) (http://www.bittorrent.com/)) does not have any malware in it. "Bittorrent" is an improper capitalization, by the way

Also, Window's "administrator"/"limited user" split is a joke. You can do tons with a limited user.
Title: What's going on with the DB server?
Post by: Testlund on May 10, 2008, 09:08:34 AM
That's the site where I downloaded the client. People may have different opinion what malware is. I just described above what happend when I installed it. If that's not the behavior of malware then I don't know what is. If I was to turn off my firewall for a few days I wouldn't be surprised to get a call from my ISP wondering why my PC has turned into a spam zombie. I don't know what all those letters means with the various ports that my PC suddenly tries to get out on after I've both installed and uninstalled BitTorrent. Never seen it before. Eric suspects the behavior of a spam bot and I have no reason to disbelieve him. I will try to find more information about this later but it's not easy to find. Mostly you just end up on forums where people making guessing games about what it is.
Title: What's going on with the DB server?
Post by: goffrie on May 10, 2008, 09:12:07 AM
That's not BitTorrent, then. You probably got that from somewhere else.
Title: What's going on with the DB server?
Post by: Numsgil on May 10, 2008, 01:44:21 PM
I've used the official bittorrent client before.  There were all sorts of problems, but nothing restarting the computer didn't fix (it apparently had a memory leak that eventually had it using gigs of RAM, etc. etc.)

Go to start->run and type in msconfig.  Go to the last tab and uncheck everything you see.  Restart your computer, and go back to start->run and type in msconfig again.  If any of the items are checked again, you probably have some malware.  If you don't, and you're not getting any weird access anymore, then you probably had something doing something weird, but you've managed to turn it off.  Go back down the list of things you turned off in msconfig and see if you can find anything you don't recognize and post them here.

If after turning off all the startup things you're still getting weird accesses, then you're either not dealing with any malware at all, or you're dealing with one that isn't too stupid (most are pretty stupid).
Title: What's going on with the DB server?
Post by: Testlund on May 10, 2008, 02:28:09 PM
I did what you suggests. I didn't see anything on the autostart or service tab I didn't recognise. Still I disabled most of them, but the ones I need for sound, graphic, OP and security software. My computer still tries access through those ports with strange letters; nbname(137)), Ms-ds(445)), nbsess(139)) etc. Whatever it is it's hooked deep in the system. It says it's UDP incoming but it comes from my IP address.
Title: What's going on with the DB server?
Post by: Numsgil on May 10, 2008, 02:36:23 PM
Your IP address on the local network (ie: 192.168.x.x) or on the internet (ie: something else)?
Title: What's going on with the DB server?
Post by: Testlund on May 10, 2008, 03:18:36 PM
It's my borrowed Ip, for my Internet adaptor. I have dynamic IP. It's not from the DHCP or DNS servers.

The IP you typed above is not from me. I don't recognise it.
Title: What's going on with the DB server?
Post by: Peter on May 10, 2008, 03:44:17 PM
Quote
I did what you suggests. I didn't see anything on the autostart or service tab I didn't recognise. Still I disabled most of them, but the ones I need for sound, graphic, OP and security software. My computer still tries access through those ports with strange letters; nbname(137)), Ms-ds(445)), nbsess(139)) etc. Whatever it is it's hooked deep in the system. It says it's UDP incoming but it comes from my IP address.
The strange letters are names for the ports. The commonly used ports have names, most don't . Try disconnectiong a network cable. Look if it still tries to get acces. If so disable everything in msconfig in the one tab before the last, well and the last too. Security is then not starting up, you would have to manually start up your firewall to see if there is something that tries to get acess, and in that case don't have acess to internet, this is a waste of time if there isn't a try of connection if the connection cable is loos.
If you can find ip's of the computers there is acess to, well post them or try to verify them yourself. You could post a security log too.

Quote from: Testlund
It's my borrowed Ip, for my Internet adaptor. I have dynamic IP. It's not from the DHCP or DNS servers.

Quote
The IP you typed above is not from me. I don't recognise it.
It are ip addresses often/anytime used for internal networks, so you get them if you get a router.

Edit
Oh yeah the port names, what do they mean.

nbname, nbsess : ports used by netbios. This is used for in an LAN. (so, do you use a router?)

ms-ds, MicroSoft Directory Sharing. Speaks for itself.

If you are not sharing files and/or using a router. Then there is somebody for sure trying to get access to your possible not (existing) network. And to your files.

Edit2
(wait, it came from your computer right. Sounds like a botnet.)
Title: What's going on with the DB server?
Post by: Testlund on May 10, 2008, 04:49:43 PM
I should probably research this some more, but what you're saying is interesting. It could be the malware is just trying different ways to access, one way in case I COULD be on a LAN with a router. I'm not though. Just one computer connected through an ADSL modem. My ISP might be a little like a router with a LAN network. I don't know.
I don't have any file sharing active. I even uninstalled the hidden 'WebFldrs XP' program. If it still tries to do file sharing smells like malware to me. Maybe that's how BitTorrent works. Ones you've installed it it will continue to do file sharing forever wether you like it or not, until you format the hard drive!
Title: What's going on with the DB server?
Post by: Numsgil on May 11, 2008, 01:33:46 AM
The bittorrent client is opensource, IIRC, or at least used by a lot of people.  A lot of people who use it to download games to get around the copy protections.  Meaning they're the sort of people who don't like programs doing sneaky things behind the scenes, and they're smart enough to catch it and connected enough to make sure everyone else knows, too.  It's just not the primary culprit here if you uninstalled it.  You might have installed something else by accident with the client, but if your virus checker and something like ad-aware don't find anything on your hard drive, then you would have to have something very new, and pretty smart to hide itself well enough that you can't find it.  Which is possible, but I don't think it should be the first assumption you jump to.

In msconfig, turn off everything (yes, everything.  Even the virus protection, firewalls, everything), unplug yourself from the internet entirely (so it won't matter if you're unprotected for 5 minutes because it's impossible for anything to enter or leave your computer), and then restart windows.  Then load up only what you need to see if you're still getting weird firewall things.  That will give you a good base point to start from.  If you're not, then you know it's something you unchecked.  You can check one thing, restart windows, and continue like that (still unconnected from the internet), until you find the culprit.

If it still is doing weird things, double check your msconfig start up tab.  If something that you unchecked has checked itself, that's suspicous.  Double check that it is what you think it is (it's possible something has attached itself in to that program's exe).  If they're still all unchecked, then it's either Windows itself acting weird or a smart and new trojan/adware/virus/etc.  Which either way might be a good time to reinstall or switch to another partition or something.
Title: What's going on with the DB server?
Post by: Testlund on May 11, 2008, 05:25:04 AM
I decided to uncheck everything I don't need regularly. If this is hooked into something I need to have running than there is no other option than a complete uninstall, so no point in disabling it just to see if it's one of those. This access try is done about every 25 minutes through the ports I mensioned above. No harm done, because my firewall blocks whatever it's trying to do, and it doesn't seem to cause system instability.

Alright, this is what I think it's all about:
When you install BitTorrent you also install a server client called BTDNA. This client will always run in the background nomatter if you quit BitTorrent or not. Your computer will be a permanent file server after this. If you uninstall this though it should probably stop. I'm not absolutely sure about that though. These access tries I'm talking about happend AFTER the install of BitTorrent. Maybe some hacker was lucky to get into my system through BitTorrent just for the few minutes I was downloading the file. I don't know. The fact remains that immediately under the install process of BitTorrent there were lots of UNUSUAL popup warnings from my firewall.
Most people may not care if files are getting uploaded/downloaded after install of BitTorrent, even if they quit the program, especially if they keep sharing files a lot anyway, but I don't like it when I can't control WHEN a P2P client is running. The longer you keep running a file sharing application, having ports open for it, the higher the risk some hacker gets through.
I just think BitTorrent is risky business and that's all I'm going to say about it. That's my opinion.
 
Title: What's going on with the DB server?
Post by: goffrie on May 11, 2008, 10:41:31 AM
BitTorrent, by itself, is not risky business unless someone tampered with your executable. (Illegally downloaded programs, though, are.) BTDNA is a seperate program installed with BitTorrent - http://www.bittorrent.com/dna/ (http://www.bittorrent.com/dna/) - and is uninstalled seperately, from what I've heard ( http://forum.bittorrent.com/viewtopic.php?id=663 (http://forum.bittorrent.com/viewtopic.php?id=663) ). You are right though, it does act as a file server for the BitTorrent network, just not permanently. Nothing is permanent, you know  Anyways, if you don't want to deal with the official client, there are lots of others, like Azureus and uTorrent.
Title: What's going on with the DB server?
Post by: Peter on May 11, 2008, 11:02:20 AM
Quote from: Testlund
I decided to uncheck everything I don't need regularly. If this is hooked into something I need to have running than there is no other option than a complete uninstall, so no point in disabling it just to see if it's one of those. This access try is done about every 25 minutes through the ports I mensioned above. No harm done, because my firewall blocks whatever it's trying to do, and it doesn't seem to cause system instability.

Alright, this is what I think it's all about:
When you install BitTorrent you also install a server client called BTDNA. This client will always run in the background nomatter if you quit BitTorrent or not. Your computer will be a permanent file server after this. If you uninstall this though it should probably stop. I'm not absolutely sure about that though. These access tries I'm talking about happend AFTER the install of BitTorrent. Maybe some hacker was lucky to get into my system through BitTorrent just for the few minutes I was downloading the file. I don't know. The fact remains that immediately under the install process of BitTorrent there were lots of UNUSUAL popup warnings from my firewall.
Most people may not care if files are getting uploaded/downloaded after install of BitTorrent, even if they quit the program, especially if they keep sharing files a lot anyway, but I don't like it when I can't control WHEN a P2P client is running. The longer you keep running a file sharing application, having ports open for it, the higher the risk some hacker gets through.
I just think BitTorrent is risky business and that's all I'm going to say about it. That's my opinion.
 

Well if it is BTDNA, a part of BT. You should be able to remove it.
Look into the add/remove programs in windows, and look there for DNA/bittorent. Something that looks like it.
You should be able to disable the startup of it in msconfig, I think?

Can you find this program in taskmanager?
I don't know what it is called in Sweden, so the eh, ctrl-alt-delete screen. Can you find the program somewhere there?

BTDNA, should NOT be running if you have disabled it in msconfig, if it isn't somewhere in msconfig and it will start up. Shame on BitTorent.

I haven't used bittorent anyway, I was lazy and I just used the inbuilted client in the opera-webbrowser. There it is as simple as clicking onto a file, and it would download as if it was just a normal download.
Title: What's going on with the DB server?
Post by: Testlund on May 11, 2008, 12:20:15 PM
Yes, I had no problem uninstalling it. It just took a little while before I found out it was not BitTorrent that was doing the job, it was BTDNA. BitTorrent is just a gui for managing the downloads. I don't know what BTDNA is doing all the time once you've downloaded a file. Probably just keep sharing that file or maybe other files gets passed through your computer, pretty much like a spam bot.
Title: What's going on with the DB server?
Post by: Peter on May 11, 2008, 12:30:05 PM
So, is the problem fixed, or are there still troubles.

Title: What's going on with the DB server?
Post by: Numsgil on May 11, 2008, 03:43:12 PM
Did you run the uninstaller?  I find it odd that bittorrent's GUI would uninstall, but leave the core program running.

My guess is that the core program was probably just updating the servers that direct traffic to say where you were and what files you were sharing.  And you can not get hackers in to your system just by running P2P software.  The people who designed the internet were smarter than that.

The issue is when you want users to log in to your system remotely, and you want to keep out people who aren't legitimate.  For instance, at work there's a way for people to submit code and access files from home.  It's through that same pathway that a hacker might try to breakthrough and access files and submit code, etc.  But the hacker can never do more than a legitimate user could.

Another example: windows has something called remote desktop.  It basically lets you connect to another windows computer through the internet.  I  have a small server farm I'm setting up, and I can turn on any of the computers, and log in to them, and run them just like I was there, on my desktop, even though my actual computers are in another room.  In theory if someone were to figure out my password (brute forcing it or using a dictionary attack wouldn't work.  Most passwords are found either because people write them down, throw them away, and the hacker digs through the corporate garbage, or the hacker is the one who set up the network and knows some back door password, or something like that), and they were on my LAN, they could gain control of these computers like they were sitting down in front of them.

However, my router does not allow incoming traffic from the internet to access the ports you need for remote desktop.  So it is impossible for anyone to get at these computers from the internet unless they can first hack my router.  But my router specifically does not allow incoming traffic from the internet to access its login page.  So it's physically impossible for someone to hack my computers through the internet.

However, my router is wireless, and I haven't set up a password for it (because I'm lazy), so in theory someone could get within 50 feet of my house, use my wireless router to connect to my Lan, and then somehow figure out my password, and log in to these spare computers.  But that's the only physically possible way, because I'm specifically not allowing incomming traffic from the internet to access the stuff it needs to hack my computer.

If you just have a vanilla install of XP, fresh out of the box, with no fixes, and hook it up to the internet, you won't get hacked.  Hacking can only occur if you, the user, install or run an executable on your computer.  Either something involving outlook or word macros, an installation package, batch files, etc. etc.  Or if you the user specifically set your computer up to be accessible from the internet.  And even then someone has to figure out your password, and if you make it 8 letters or longer, and mix lower and upper case with some numbers, it becomes impossible*.

* at the present time.  Most systems rely on a mathematical fact that it's hard to factor large numbers.  If that ever becomes easy, pretty much all existing protection schemes become trivial to break.  Of course, you still have to have your computer set up for remote access.
Title: What's going on with the DB server?
Post by: Testlund on May 11, 2008, 05:45:08 PM
I agree with what you're saying Nums. That's pretty much how I think it works, but sometimes it seems hackers gets into computers too easy. I'm no expert in this so I don't know exactly how they do it, I just know where the risks lie. There is a reason why you need a firewall with stealth ports for instance. Just for somebody knowing your computer exists may be enough to find a way in. I've read about how they can get access through Windows services for instance. Just read what it says in all those security fixes you're downloading from Microsoft, where it says a hacker can get control of your computer through this vulnerability. Maybe they need my administrator password to do it, I don't know. It doesn't say.
Just visiting a web page may be enough to get a backdoor installed that imediately gives access to the computer.
Now I forgot my sandwishes in the owen just because I had to write this. Right after I felt the strong smell the fire alarm started beeping. I'm glad I don't have sprinklers.  
Title: What's going on with the DB server?
Post by: goffrie on May 11, 2008, 05:47:27 PM
The only security problems with opening a *single* port for BitTorrent are bugs in BitTorrent itself - just as likely as having bugs in your Web browser, so you really aren't taking a huge risk (except for what you download with it).
Title: What's going on with the DB server?
Post by: Testlund on May 11, 2008, 05:48:01 PM
Quote from: Peter
So, is the problem fixed, or are there still troubles.

Nothing else but the access tries through the ports I've mensioned.
Title: Re: What's going on with the DB server?
Post by: theblaze on May 10, 2011, 01:29:59 AM
All this playing with darwinbots has given ur pc ai :)
Title: Re: What's going on with the DB server?
Post by: Matz05 on November 21, 2011, 07:39:56 PM
You do know that ALL updates say that by default.
Most of them say "Unauthenticated remote attacker", but I find that hard to believe. Windows wasn't written by monkeys... right? Right?  :huh:
The ones that scare me are the ones where the standard sticker is edited slightly... That must mean there really WAS a major flaw...

On the other hand, it could just be that the operating system is built so backwards that MS really do find flaws that "allow an unauthenticated remote attacker to compromise and take control of your system" in every component every few months... In that case, who wrote this !@#$%^&*()?