Nerte 7.8.1 Trojan

viper · Guest

I got a warning message after the scan. What is this please help

Warning: fsockopen() [function.fsockopen]: unable to connect to 217.128.142.30:31 in /home/www/computercops/modules/Trojan_TCP_Scan/ccspTrojans.php on line 137
Connection Refused: Port 31 used by Master Paradise.
ESTABLISHED CONNECTION: Possible Nerte 7.8.1 Trojan found on port 80.

Paul · Admin Joined: Feb 22, 2002 Posts: 5719 Location: USA

Are you running any firewalls or anti-virus programs?

Guest · Posted: Sun Feb 16, 2003 6:51 pm Post subject:

jaykaykay · Posted: Tue Feb 25, 2003 9:52 pm Post subject:

Paul · Admin Joined: Feb 22, 2002 Posts: 5719 Location: USA

An online scanner here?

jaykaykay · Posted: Tue Feb 25, 2003 10:11 pm Post subject:

Paul · Admin Joined: Feb 22, 2002 Posts: 5719 Location: USA

Oh I thought you meant adding an AV scanner or something.

slofs · Guest

i alsso had Nerte warning
i run AGV and Sygate firewhal

ESTABLISHED CONNECTION: Possible Nerte 7.8.1 Trojan found on port 80.

Paul · Admin Joined: Feb 22, 2002 Posts: 5719 Location: USA

Try running "netstat -an" , post your findings.

ehask · Guest

Make sure your not running a webserver on your box. I also got this message but I am on the LAN side of a Linux firewall that is hosting 5 domains (port 80)

I believe the fact that a webserver responds triggers the scanner as a possible Trojan

Paul nice site!!

Eric H
A+,Linux+,MCSE,CCNA
www.pctechs2go.net

Guest · Posted: Tue Jul 22, 2003 3:44 pm Post subject: heres what netstat -an says

http://freeozlotto.com/Clipboard01.gif

i also have the nerte rthing being reported

Paul · Admin Joined: Feb 22, 2002 Posts: 5719 Location: USA

Try an "netstat -an" does it show anything listening on that port?

Guest · Posted: Wed Jul 23, 2003 2:00 am Post subject:

0.0.0.0:1960 0.0.0.0:0 LISTENING
127.0.0.1:1792 0.0.0.0:0 LISTENING
127.0.0.1:5180 0.0.0.0:0 LISTENING
127.0.0.1:3698 0.0.0.0:0 LISTENING
127.0.0.1:3716 0.0.0.0:0 LISTENING
203.29.136.155:12082 0.0.0.0:0 LISTENING
203.29.136.155:31825 0.0.0.0:0 LISTENING
203.29.136.155:3697 207.46.106.38:1863 ESTABLISHED
203.29.136.155:3713 205.188.9.77:5190 ESTABLISHED
203.29.136.155:3723 64.12.200.226:5190 ESTABLISHED
203.29.136.155:1958 205.188.165.121:80 TIME_WAIT
203.29.136.155:1960 207.46.108.49:1863 ESTABLISHED
203.29.136.155:1962 64.12.174.121:80 TIME_WAIT
203.29.136.155:11465 0.0.0.0:0 LISTENING
0.0.0.0:1029 *:*
0.0.0.0:3696 *:*
127.0.0.1:1792 *:*
127.0.0.1:3698 *:*
127.0.0.1:3716 *:*
203.29.136.155:31825 *:*
203.29.136.155:11465 *:*

savagegoose · Cadet Joined: May 14, 2003 Posts: 2 Location: Australia

well that last guest posts was mine, i narrowed down all progs running and still had this

Proto Local Address Foreign Address State
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 203.29.136.155:2063 205.188.165.121:80 TIME_WAIT
UDP 0.0.0.0:1029 *:*

i did a trace route and got this

1 203.12.165.50 201ms 202ms 220ms TTL: 0 (adl-ts1-2600.tpgi.com.au ok)
2 203.12.165.33 223ms 206ms 199ms TTL: 0 (adl-7204.tpgi.com.au ok)
3 202.7.183.34 222ms 202ms 230ms TTL: 0 (adl-adlpow-gw.tpgi.com.au ok)
4 202.7.162.101 294ms 214ms 239ms TTL: 0 (syd-adl-pow-gw.tpgi.com.au ok)
5 203.192.130.221 220ms 220ms 221ms TTL: 0 (No rDNS)
6 203.192.160.101 222ms 221ms 222ms TTL: 0 (No rDNS)
7 203.192.136.106 375ms 361ms 380ms TTL: 0 (pos2-1-155M.cr1.LAX1.gblx.net ok)
8 66.185.148.49 376ms 378ms 361ms TTL: 0 (pop2-las-P5-1.atdn.net bogus rDNS: host not found [authoritative])
9 66.185.137.160 427ms 385ms 406ms TTL: 0 (bb1-las-P1-0.atdn.net bogus rDNS: host not found [authoritative])
10 66.185.137.160 407ms 393ms 392ms TTL: 0 (bb1-las-P1-0.atdn.net bogus rDNS: host not found [authoritative])
11 66.185.152.37 405ms 381ms 379ms TTL: 0 (bb2-pho-P1-0.atdn.net bogus rDNS: host not found [authoritative])
12 66.185.152.37 416ms 420ms 428ms TTL: 0 (bb2-pho-P1-0.atdn.net bogus rDNS: host not found [authoritative])
13 66.185.152.106 452ms 435ms 448ms TTL: 0 (bb2-hou-P6-0.atdn.net bogus rDNS: host not found [authoritative])
14 66.185.152.184 442ms 431ms 442ms TTL: 0 (bb1-atm-P7-0.atdn.net bogus rDNS: host not found [authoritative])
15 66.185.152.184 479ms 442ms 437ms TTL: 0 (bb1-atm-P7-0.atdn.net bogus rDNS: host not found [authoritative])
16 66.185.152.29 428ms 431ms 425ms TTL: 0 (bb1-vie-P10-0.atdn.net bogus rDNS: host not found [authoritative])
17 66.185.152.158 436ms 456ms 432ms TTL: 0 (bb1-dtc-P11-0.atdn.net bogus rDNS: host not found [authoritative])
18 66.185.152.158 484ms 436ms 441ms TTL: 0 (bb1-dtc-P11-0.atdn.net bogus rDNS: host not found [authoritative])
19 66.185.145.2 432ms 435ms 434ms TTL: 0 (ow1-dr2-S0-2-0.atdn.net bogus rDNS: host not found [authoritative])
20 66.185.145.2 440ms 463ms 448ms TTL: 0 (ow1-dr2-S0-2-0.atdn.net bogus rDNS: host not found [authoritative])
21 172.18.126.98 456ms 471ms 441ms TTL: 0 (No rDNS)
22 205.188.165.121 447ms 461ms 432ms TTL: 50 (ads.web.aol.com ok)

should i be worried?

Jamming · Colonel Premium Member Joined: Jun 22, 2002 Posts: 1874

Download the TrojanHunter trial it detects and removes the Nerte 781 Trojan. Make sure you update the definitions. Using the trial version of TrojanHunter, please see http://www.misec.net/support/trojanhunter/updating/ for instructions on how to update to the latest ruleset.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1234 pages served in previous 5 minutes. Page Rendered: 0.537 seconds.