Re: What is this in my syslog????????

[Nate Duehr]

M-L wrote:
I have this in my syslog while downloading the latest updates from Debian?
My computer drops off the modem. the modem is still connected but ppp is not, 
the computer doesn't respond to being on the net/

I don't use chat and wonder if the machine is actually breached by intruders?

Charlie

Nov  6 17:59:41 taogypsy chat[7793]: Virus Infection and Unexpected Computer 
Shutdowns^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Affected Software: ^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Workstation ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Server 4.0 ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows 2000   ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows XP  ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Win98   ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Server 2003^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Non Affected Software: ^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Millennium Edition^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Your system is affected, download the 
patch from the address below ! ^M
Nov  6 17:59:41 taogypsy chat[7793]: FIRST TYPE THE ADDRESS BELOW INTO YOUR 
INTERNET BROWSER, THEN CLICK 'OK
Nov  6 17:59:41 taogypsy chat[7793]:  -- got it
Nov  6 17:59:41 taogypsy chat[7793]: send (ATDT0198308888^M)
Nov  6 17:59:41 taogypsy chat[7793]: expect (CONNECT)
Nov  6 17:59:41 taogypsy chat[7793]: '.^M
Nov  6 17:59:41 taogypsy chat[7793]: THE ADDRESS WILL DISAPPEAR ONCE YOU 
CLICK 'OK'.^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]:                                                     
www.patchupdate.info^M



This looks a lot like your chatscript for the PPP connection has been 
overwritten by an e-mail about a virus or similar text message.

Very strange, but not quite enough to say the box is compromised -- it 
could simply be that the file somehow got overwritten with an errant cut 
and paste or similar.

Definitely worth checking into, though -- look into your /etc/ppp 
directory and associated files.  Also, you don't mention which (if any) 
GUI-based dialer that you use, but it could be stored in a configuration 
file from one of those also -- again, likely an errant cut and paste or 
similar.

Go hunting with GREP to find the script or configuation file that 
contains one of the phrases from that chat log -- like "THE ADDRESS WILL 
DISAPPEAR" for example.  Hunt the whole box if you have to, but you 
should be able to find out where that's coming from...

Nate


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]