Re: What does this mean in my account log?
On Friday, January 24, 2014, 12:23:43 PM, you (tbudl@thebat.dutaint.com) wrote: > Most of the setup file REGISTRY entries can be deleted as they are > just leftovers from the install process. As for files, it likes to > suggest uninstall files as being potentially dangerous. If you know > what the FILE is you can exclude it. If you really want to get your > registry cleaned out and compacted (and speed up your machine, get > Macecrafts Jv16 Powertools. You can get the lite version for free > and the pro ... well they are going open source soon and when they > do grab it. If you want to follow up with this, shoot me an email off list Thank you. I will have to bone up on Jv16 Powertools. Leonard -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Friday, January 24, 2014, 5:34:31 AM, you wrote: > Karla on Wednesday, January 22, 2014, 2:58:19 PM, you > (tbudl@thebat.dutaint.com) wrote: >> I changed that and will be closely monitoring the >> mail account.Malwarebytes free software has solved any >> invader-related issues I've had from time to time over the years, and >> I download it upon getting a new computer so that I am prepared. I >> highly recommend it, and hope it is that simple to solve your issue. > I downloaded the free version and performed a quick scan. A whole > bunch of items were "detected" Most of them have to do with the > registry. Some are in files I recognize, e.g., set up file from > software the I have installed, and I do not want to delete those. > So, in your opinion, can I safely remove the items associated with the > registry? (I really do not understand how to mess with the registry.) > Thanks Hello Leonard, My understanding of the registry is limited also, but when using Malwarebytes, I've allowed detected items to be removed. Have never seen installer software as a detection, and I have many software installations. Removal of detected threats has always solved whatever problem I had. Karla -- Best regards, Cafe Noir mailto:cafe.n...@mail.ru Secure Email Natural Health http://pobox.com/~potentia http://www.63y.in Using The Bat! v5.8.8 on Windows 6.2 Build 9200 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
>I downloaded the free version and performed a quick scan. A whole bunch of >items were "detected" Most of them have to do with the registry. Some are in >files I recognize, e.g., set up file from software the I have installed, and I >do not want to delete those. Most of the setup file REGISTRY entries can be deleted as they are just leftovers from the install process. As for files, it likes to suggest uninstall files as being potentially dangerous. If you know what the FILE is you can exclude it. If you really want to get your registry cleaned out and compacted (and speed up your machine, get Macecrafts Jv16 Powertools. You can get the lite version for free and the pro ... well they are going open source soon and when they do grab it. If you want to follow up with this, shoot me an email off list -- Rick Work like you don't need the money. Love like you've never been hurt. Dance like nobody's watching. Leroy "Satchel" Paige, 1906 - 1982. v6.2.4.1 (BETA) on Windows 6.2 Build 9200 Using all POP accounts I download all images Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Karla on Wednesday, January 22, 2014, 2:58:19 PM, you (tbudl@thebat.dutaint.com) wrote: > I changed that and will be closely monitoring the > mail account.Malwarebytes free software has solved any > invader-related issues I've had from time to time over the years, and > I download it upon getting a new computer so that I am prepared. I > highly recommend it, and hope it is that simple to solve your issue. I downloaded the free version and performed a quick scan. A whole bunch of items were "detected" Most of them have to do with the registry. Some are in files I recognize, e.g., set up file from software the I have installed, and I do not want to delete those. So, in your opinion, can I safely remove the items associated with the registry? (I really do not understand how to mess with the registry.) Thanks. -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Karla, on Wednesday, January 22, 2014, 2:58:19 PM, you (tbudl@thebat.dutaint.com) wrote: > My default mode for finding any such issues is to run a Malwarebytes > scan on the computer. One of the things I've noticed in The Bat! is > that accessing AOL mail gives a message of an invalid certificate, but > I've always ignored the message. However, for the first time > yesterday, I received a clearly virus-laden (via a link) email which > claimed to be sent from my AOL account to two other unrelated email > addresses that I own and one other email address of a correspondent > of mine. I visited AOL mail online and found that the email had been > sent from my account, so I changed my password at AOL and scanned both > of my computers. I had no invaders, so I think it is either a hacking > of my AOL account or something related to Facebook, since I used the > AOL address there. I changed that and will be closely monitoring the > mail account.Malwarebytes free software has solved any > invader-related issues I've had from time to time over the years, and > I download it upon getting a new computer so that I am prepared. I > highly recommend it, and hope it is that simple to solve your issue. Thanks for the tip. I have not used AOL for more than 15 years. However, I will download and install Malwarebytes as you recommend. Leonard -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Wednesday, January 22, 2014, 11:15:54 AM, you wrote: > On Wednesday, January 22, 2014, 7:42:48 AM, you (tbudl@thebat.dutaint.com) > wrote: >> What would you do if someone raided your living room while you were >> upstairs sleeping? >> Treat it the same way. > If someone raided my living room, I would call the police, then get a > boom and clean up the mess. What police do I summon for > man-in-the-middle? Where do I find the mess in this instance. > Thanks, Hello Leonard, My default mode for finding any such issues is to run a Malwarebytes scan on the computer. One of the things I've noticed in The Bat! is that accessing AOL mail gives a message of an invalid certificate, but I've always ignored the message. However, for the first time yesterday, I received a clearly virus-laden (via a link) email which claimed to be sent from my AOL account to two other unrelated email addresses that I own and one other email address of a correspondent of mine. I visited AOL mail online and found that the email had been sent from my account, so I changed my password at AOL and scanned both of my computers. I had no invaders, so I think it is either a hacking of my AOL account or something related to Facebook, since I used the AOL address there. I changed that and will be closely monitoring the mail account.Malwarebytes free software has solved any invader-related issues I've had from time to time over the years, and I download it upon getting a new computer so that I am prepared. I highly recommend it, and hope it is that simple to solve your issue. Karla -- Best regards, Cafe Noir mailto:cafe.n...@mail.ru Secure Email Natural Health http://pobox.com/~potentia http://www.63y.in Using The Bat! v5.8.8 on Windows 6.2 Build 9200 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
On Wednesday, January 22, 2014, 7:42:48 AM, you (tbudl@thebat.dutaint.com) wrote: > What would you do if someone raided your living room while you were > upstairs sleeping? > Treat it the same way. If someone raided my living room, I would call the police, then get a boom and clean up the mess. What police do I summon for man-in-the-middle? Where do I find the mess in this instance. Thanks, -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Hi, > What can I do about it? What would you do if someone raided your living room while you were upstairs sleeping? Treat it the same way. -- Mit freundlichem Gruß Alto Speckhardt mailto:a...@treadstone79.de Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
On Tuesday, January 21, 2014, 6:22:06 PM, you (tbudl@thebat.dutaint.com) wrote: > Gmail doesn't use self-signed certificates. You have an MITM attack > going on there, as Jernej already said. I have no way to tell if it is > malicious, or something "friendly" installed on your computer or > network. What can I do about it? -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Hi On Tuesday 21 January 2014 at 6:46:25 AM, in , Leonard S. Berkowitz wrote: > Here is the entires "set" for one connect interval: > 1/20/2014, 22:32:00: FETCH - receiving mail messages > 1/20/2014, 22:32:00: FETCH - Connecting to POP3 server > pop.gmail.com on port 995 1/20/2014, 22:32:00: FETCH - > Initiating TLS handshake >>1/20/2014, 22:32:00: FETCH - Certificate S/N: 011E8403, algorithm: RSA (512 >>bits), issued from 10/5/2012 10:19:13 PM to 9/30/2032 10:19:13 PM, for 1 >>host(s): pop.gmail.com. >>1/20/2014, 22:32:00: FETCH - Owner: EN, pop.gmail.com. >>1/20/2014, 22:32:00: FETCH - This certificate is self-issued. > 1/20/2014, 22:32:00: FETCH - TLS handshake complete > 1/20/2014, 22:32:00: FETCH - connected to POP3 server > 1/20/2014, 22:32:01: FETCH - authenticated (plain) > 1/20/2014, 22:32:01: FETCH - 0 messages in the mailbox, 0 new > 1/20/2014, 22:32:01: FETCH - connection finished - 0 messages received > Does this tell you anything? It tells me the certificate you already mentioned is self-signed. Gmail doesn't use self-signed certificates. You have an MITM attack going on there, as Jernej already said. I have no way to tell if it is malicious, or something "friendly" installed on your computer or network. -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Take my advice - I don't use it anyway. Using The Bat! v4.0.38 on Windows XP 5.1 Build 2600 Service Pack 3 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
On Monday, January 20, 2014, 6:38:27 PM, you (tbudl@thebat.dutaint.com) wrote: > After the line about "FETCH - Certificate S/N: 011E8403, algorithm: > RSA (512 bits), issued from 10/5/2012 10:19:13 PM to 9/30/2032 > 10:19:13 PM, for 1 host(s): pop.gmail.com." do you see a line about > "owner" or "root?" Here is the entires "set" for one connect interval: 1/20/2014, 22:32:00: FETCH - receiving mail messages 1/20/2014, 22:32:00: FETCH - Connecting to POP3 server pop.gmail.com on port 995 1/20/2014, 22:32:00: FETCH - Initiating TLS handshake >1/20/2014, 22:32:00: FETCH - Certificate S/N: 011E8403, algorithm: RSA (512 >bits), issued from 10/5/2012 10:19:13 PM to 9/30/2032 10:19:13 PM, for 1 >host(s): pop.gmail.com. >1/20/2014, 22:32:00: FETCH - Owner: EN, pop.gmail.com. >1/20/2014, 22:32:00: FETCH - This certificate is self-issued. 1/20/2014, 22:32:00: FETCH - TLS handshake complete 1/20/2014, 22:32:00: FETCH - connected to POP3 server 1/20/2014, 22:32:01: FETCH - authenticated (plain) 1/20/2014, 22:32:01: FETCH - 0 messages in the mailbox, 0 new 1/20/2014, 22:32:01: FETCH - connection finished - 0 messages received Does this tell you anything? -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Hi On Sunday 19 January 2014 at 9:09:12 AM, in , Leonard S. Berkowitz wrote: > I do not have Avast, rather Avira. Would your comment > still apply? Thanks. It was just a suggestion, that the apparent MITM attack might be nothing to worry about. Some anti-virus programs do it like Avast with an MITM attack, others have a plug-in for the email app and scan the messages on access after they are received. I don't know what way Avira does it, if at all. After the line about "FETCH - Certificate S/N: 011E8403, algorithm: RSA (512 bits), issued from 10/5/2012 10:19:13 PM to 9/30/2032 10:19:13 PM, for 1 host(s): pop.gmail.com." do you see a line about "owner" or "root?" -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net A closed door is an invitation to knock Using The Bat! v4.0.38 on Windows XP 5.1 Build 2600 Service Pack 3 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
On Saturday, January 18, 2014, 12:39:53 PM, you (tbudl@thebat.dutaint.com) wrote: > Maybe it is something to do with your anti-virus, like the Avast! root > certificate with no dates or serial number mentioned in my TLS > handshake? (Avast! does a "man-in-the-middle attack" so that it can > scan my email for nasties.) I do not have Avast, rather Avira. Would your comment still apply? Thanks. -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
On Saturday, January 18, 2014, 11:49:22 AM, you (tbudl@thebat.dutaint.com) wrote: > However, the certificate it's announcing doesn't look right - > 512bit RSA is insecure (even 1024bit RSA has been phased out), and > nobody issues end-entity certificates that are valid for more than 5 > years, so you should check why you're seeing that certificate (it > almost certainly means that somebody is doing a man-in-the-middle > attack with it, thus being able to read all messages you download). How do I go about doing that? -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
On Saturday, January 18, 2014, 5:25:47 AM, you (tbudl@thebat.dutaint.com) wrote: > You said it. This line is just one of the 'TLS handshake' lines logged when > connecting to gmail servers. That is why it occurs every 3 minutes in > your case. Thanks. -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Hi On Saturday 18 January 2014 at 4:49:22 PM, in , Jernej Simoncic wrote: > On Friday, January 17, 2014, 23:10:24, Leonard S. > Berkowitz wrote: >> FETCH - Certificate S/N: 011E8403, >> algorithm: RSA (512 bits), >> issued from 10/5/2012 10:19:13 PM to 9/30/2032 10:19:13 PM, >> for 1 host(s): pop.gmail.com. > However, the certificate it's > announcing doesn't look right - 512bit RSA is insecure > (even 1024bit RSA has been phased out), and nobody > issues end-entity certificates that are valid for more > than 5 years, so you should check why you're seeing > that certificate (it almost certainly means that > somebody is doing a man-in-the-middle attack with it, > thus being able to read all messages you download). My Gmail account log shows:- FETCH - Initiating TLS handshake FETCH - Certificate S/N: 0A7AA2766A688E80, algorithm: RSA (2048 bits), issued from 10/09/2013 07:57:39 to 10/09/2014 07:57:39, for 1 host(s): pop.gmail.com. FETCH - Owner: US, California, Mountain View, Google Inc, pop.gmail.com. FETCH - Root: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root FETCH - TLS handshake complete Maybe it is something to do with your anti-virus, like the Avast! root certificate with no dates or serial number mentioned in my TLS handshake? (Avast! does a "man-in-the-middle attack" so that it can scan my email for nasties.) -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net A closed mouth gathers no foot Using The Bat! v4.0.38 on Windows XP 5.1 Build 2600 Service Pack 3 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
On Friday, January 17, 2014, 23:10:24, Leonard S. Berkowitz wrote: > FETCH - Certificate S/N: 011E8403, algorithm: RSA (512 bits), > issued from 10/5/2012 10:19:13 PM to 9/30/2032 10:19:13 PM, for 1 host(s): > pop.gmail.com. > It occurs repeatedly, every three minutes -- the frequency configured > for checking mail. > And should I be concerned about it? The line is part of the normal TLS handshake, and usually wouldn't matter. However, the certificate it's announcing doesn't look right - 512bit RSA is insecure (even 1024bit RSA has been phased out), and nobody issues end-entity certificates that are valid for more than 5 years, so you should check why you're seeing that certificate (it almost certainly means that somebody is doing a man-in-the-middle attack with it, thus being able to read all messages you download). -- < Jernej Simončič ><><><><>< http://eternallybored.org/ > The idea is to die young as late as possible. -- Montagu's Maxim Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: What does this mean in my account log?
Hello Leonard, > FETCH - Certificate S/N: 011E8403, algorithm: RSA (512 bits), issued > from 10/5/2012 10:19:13 PM to 9/30/2032 10:19:13 PM, for 1 host(s): > pop.gmail.com. > > It occurs repeatedly, every three minutes -- the frequency configured > for checking mail. You said it. This line is just one of the 'TLS handshake' lines logged when connecting to gmail servers. That is why it occurs every 3 minutes in your case. Here is a sample of the TLS handshake lines in my case: 18/01/2014, 11:16:52: FETCH - receiving mail messages 18/01/2014, 11:16:52: FETCH - Connecting to POP3 server pop.gmail.com on port 995 18/01/2014, 11:16:53: FETCH - Initiating TLS handshake >18/01/2014, 11:16:53: FETCH - Certificate S/N: 0A7AA2766A688E80,algorithm: RSA >(2. >18/01/2014, 11:16:53: FETCH - Issuer: "US", "Google Inc", "Google Internet >Authority G2". >18/01/2014, 11:16:53: FETCH - Root: "US", "GeoTrust Inc.", "GeoTrust Global CA" 18/01/2014, 11:16:53: FETCH - TLS handshake complete > And should I be concerned about it? No, not at all. -- Best regards, Miguel A. Urech (El Escorial - Spain) Using The Bat! v6.2.4 My photos at: http://www.Rancho-K.com My photoblog: http://mau.aminus3.com Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
What does this mean in my account log?
FETCH - Certificate S/N: 011E8403, algorithm: RSA (512 bits), issued from 10/5/2012 10:19:13 PM to 9/30/2032 10:19:13 PM, for 1 host(s): pop.gmail.com. It occurs repeatedly, every three minutes -- the frequency configured for checking mail. And should I be concerned about it? Thanks. -- Leonard S. Berkowitz Using The Bat! v5.2.2 on Windows 7 6.1 Build 7601 Service Pack 1 Current version is 6.1.8 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html
