[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

question



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi-
  I'm running tor 0.1.0.11 win32 as an exit server.  I came home
after a meeting today, and found a virus warning for the Trojan.phel
virus in my temp directory.

  A side-effect of my virus program is that it also logs all port 80
exits from my tor server, and it had the following entries:

(WARNING!!!!! These sites contain the trojan!!!!!)

7/19/2005 12:47:27
PM,Supervisor,http://highconvert.com/system/users/dimpy/
7/19/2005 12:47:01
PM,Supervisor,http://highconvert.com/system/users/dimpy/new9/web.php
7/19/2005 12:47:00
PM,Supervisor,http://highconvert.com/system/users/dimpy/activx2/web.ph
p
7/19/2005 12:47:00
PM,Supervisor,http://highconvert.com/system/users/dimpy/new12/web.php
7/19/2005 12:46:59
PM,Supervisor,http://highconvert.com/system/users/dimpy/chmjpeg/web.ph
p
7/19/2005 12:46:59
PM,Supervisor,http://highconvert.com/system/users/dimpy/java/web.php
7/19/2005 12:46:43
PM,Supervisor,http://highconvert.com/system/users/dimpy/hta2/web.php
7/19/2005 12:46:42
PM,Supervisor,http://highconvert.com/system/users/dimpy/

Which coincides with the infection times, and is also a time when
both my kids were at work, and I was not home.  Assuming that I do
not have some other backdoor program (several different AV products
say this system is clean), and I did not have a physical break-in at
this computer (I hope I can assume this), I have to conclude that it
was a result of the tor server serving the pages through this system.
 Is there a way to verify this (i.e., force another machine to use my
tor server as the exit server and see what happens when I hit this
site)?

Unfortunately, my firewall connection log only holds about 30-45
minutes of information when my tor server is running, and overwrites
older connections, so I cannot use that for checking into this, but
this particular trojan relies on the M$ Help system to function, so
the times that I browsed to this site show up in my event log as:

"This operation can only function within HTML Help.,
http://highconvert.com/system/users/dimpy/hta2/web.php,
http://go.microsoft.com/fwlink?LinkID=45833.";

The above times show no such message, so I assume that the appearance
of the trojan was not through a browser operation.  I've also ruled
out email.

- -Bob
Tor Server: DodgersSuck
(go Padres!!!)

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQt2SnLjZjQrA9LuCEQL0qQCgwgktwsKcOWH+/C7ZO3E2UcdXc1MAn3Sx
KawNCCbBOpJrTFdAtYxxoWfm
=6wy1
-----END PGP SIGNATURE-----