M-L wrote:
On Monday 06 November 2006 18:54, Nate Duehr shared this with us all:
--> M-L wrote:
--> > I have this in my syslog while downloading the latest updates from
Debian? --> >
--> > My computer drops off the modem. the modem is still connected but ppp
is not, --> > the computer doesn't respond to being on the net/
--> >
--> > I don't use chat and wonder if the machine is actually breached by
intruders? --> >
--> > Charlie
--> >
--> > Nov 6 17:59:41 taogypsy chat[7793]: Virus Infection and Unexpected
Computer --> > Shutdowns^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: Affected Software: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Workstation
^M --> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Server
4.0 ^M --> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows 2000
^M --> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows XP ^M -->
Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows Win98 ^M --> >
Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows Server 2003^M --> >
Nov 6 17:59:41 taogypsy chat[7793]: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: Non Affected Software: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows Millennium
Edition^M --> > Nov 6 17:59:41 taogypsy chat[7793]: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: Your system is affected, download
the --> > patch from the address below ! ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: FIRST TYPE THE ADDRESS BELOW INTO
YOUR --> > INTERNET BROWSER, THEN CLICK 'OK
--> > Nov 6 17:59:41 taogypsy chat[7793]: -- got it
--> > Nov 6 17:59:41 taogypsy chat[7793]: send (ATDT0198308888^M)
--> > Nov 6 17:59:41 taogypsy chat[7793]: expect (CONNECT)
--> > Nov 6 17:59:41 taogypsy chat[7793]: '.^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: THE ADDRESS WILL DISAPPEAR ONCE
YOU --> > CLICK 'OK'.^M
--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M
--> > Nov 6 17:59:41 taogypsy chat[7793]:
--> > www.patchupdate.info^M
--> >
-->
-->
--> This looks a lot like your chatscript for the PPP connection has been
--> overwritten by an e-mail about a virus or similar text message.
-->
--> Very strange, but not quite enough to say the box is compromised -- it
--> could simply be that the file somehow got overwritten with an errant cut
--> and paste or similar.
-->
--> Definitely worth checking into, though -- look into your /etc/ppp
--> directory and associated files. Also, you don't mention which (if any)
--> GUI-based dialer that you use, but it could be stored in a configuration
--> file from one of those also -- again, likely an errant cut and paste or
--> similar.
-->
--> Go hunting with GREP to find the script or configuation file that
--> contains one of the phrases from that chat log -- like "THE ADDRESS WILL
--> DISAPPEAR" for example. Hunt the whole box if you have to, but you
--> should be able to find out where that's coming from...
-->
--> Nate
Thanks Nate,
I stopped downloading, on dialup 31.2 kbps [and looking at 8 hours]
Installed chkrootkit which found nothing infected or out of place.
I use pon, is that a GUI dialer?
My system is secure and in full stealth mode according to http://www.grc.com
What service exactly of grc.com?
I will learn how to use grep and see what I can come up with.
This is an Acer lappy, on which I never removed the XP windows system from
because I needed it straight away, and didn't know if I could get Sarge or
Etch installed without problems, and was going to blow XP away as soon as
Etch went stable. So I just shrank the windows partition and created the ones
I wanted for Etch. It worked and I left it like that for now.
I am wondering if Acer added something as an automagic upgrade. In the BIOS?
But i will try to discover how grep works and find the string.
Thanks again.
Charlie
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
