On Monday 06 November 2006 18:54, Nate Duehr shared this with us all: >--> M-L wrote: >--> > I have this in my syslog while downloading the latest updates from > Debian? --> > >--> > My computer drops off the modem. the modem is still connected but ppp > is not, --> > the computer doesn't respond to being on the net/ >--> > >--> > I don't use chat and wonder if the machine is actually breached by > intruders? --> > >--> > Charlie >--> > >--> > Nov 6 17:59:41 taogypsy chat[7793]: Virus Infection and Unexpected > Computer --> > Shutdowns^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: Affected Software: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Workstation > ^M --> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Server > 4.0 ^M --> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows 2000 > ^M --> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows XP ^M --> > > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows Win98 ^M --> > > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows Server 2003^M --> > > Nov 6 17:59:41 taogypsy chat[7793]: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: Non Affected Software: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: Microsoft Windows Millennium > Edition^M --> > Nov 6 17:59:41 taogypsy chat[7793]: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: Your system is affected, download > the --> > patch from the address below ! ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: FIRST TYPE THE ADDRESS BELOW INTO > YOUR --> > INTERNET BROWSER, THEN CLICK 'OK >--> > Nov 6 17:59:41 taogypsy chat[7793]: -- got it >--> > Nov 6 17:59:41 taogypsy chat[7793]: send (ATDT0198308888^M) >--> > Nov 6 17:59:41 taogypsy chat[7793]: expect (CONNECT) >--> > Nov 6 17:59:41 taogypsy chat[7793]: '.^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: THE ADDRESS WILL DISAPPEAR ONCE > YOU --> > CLICK 'OK'.^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: ^M >--> > Nov 6 17:59:41 taogypsy chat[7793]: >--> > www.patchupdate.info^M >--> > >--> >--> >--> This looks a lot like your chatscript for the PPP connection has been >--> overwritten by an e-mail about a virus or similar text message. >--> >--> Very strange, but not quite enough to say the box is compromised -- it >--> could simply be that the file somehow got overwritten with an errant cut >--> and paste or similar. >--> >--> Definitely worth checking into, though -- look into your /etc/ppp >--> directory and associated files. Also, you don't mention which (if any) >--> GUI-based dialer that you use, but it could be stored in a configuration >--> file from one of those also -- again, likely an errant cut and paste or >--> similar. >--> >--> Go hunting with GREP to find the script or configuation file that >--> contains one of the phrases from that chat log -- like "THE ADDRESS WILL >--> DISAPPEAR" for example. Hunt the whole box if you have to, but you >--> should be able to find out where that's coming from... >--> >--> Nate
Thanks Nate, I stopped downloading, on dialup 31.2 kbps [and looking at 8 hours] Installed chkrootkit which found nothing infected or out of place. I use pon, is that a GUI dialer? My system is secure and in full stealth mode according to http://www.grc.com I will learn how to use grep and see what I can come up with. This is an Acer lappy, on which I never removed the XP windows system from because I needed it straight away, and didn't know if I could get Sarge or Etch installed without problems, and was going to blow XP away as soon as Etch went stable. So I just shrank the windows partition and created the ones I wanted for Etch. It worked and I left it like that for now. I am wondering if Acer added something as an automagic upgrade. In the BIOS? But i will try to discover how grep works and find the string. Thanks again. Charlie -- Registered Linux User:- 329524 +++++++++++++++++++++++++++++++++++ Men are equal; it is not birth but virtue that makes the difference. ......................Voltaire >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Linux Debian Etch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
