View Full Version : a small question about EQ and trojans
neonchicken
03-05-2003, 03:25 AM
Tonight I had an ip adress 64.37.151.80 that traced to Verant Interactive[eqworld-73.989studios.com] try and access my network using Master Paradise Trojan Horse.
Anyone able to tell me more about this? I am sort of new to all of this. I haven't downloaded anything EQ related on this network before, but I do frequent sourceforge boards.
Thanks....
kleenburn
03-05-2003, 05:07 AM
Had a similar thing happen. "Portal of Doom Trojan Horse" from 64.37.151.105 resolving to eqworld-74.989studios.com during an EQ session Sunday night. Chalked it up to a false alarm, but quit EQ and went to bed anyway.
Dedpoet
03-05-2003, 07:36 AM
My guess is that whatever firewall you are using is identifying the traffic by the port number it is trying to use, and that EQ sent something legitimate on that port number. If EQ tried to send something on port 666, you would probably get a report that Sony was using the SATAN tool against you.
Also, I know this sounds trite, but there is no Verant Interactive anymore. Try it, go to www.verantinteractive.com. It just sends you to a Sony Station site.
nerfherder
03-06-2003, 03:34 PM
The IP could also be spoofed if there is anyway to get upstream of your box. DNS resolution of that IP would then resolve it to its registered DNS name regardless of where it came from.
vexor
03-07-2003, 02:36 PM
I understand that you were able to tell what IP and port that was filtered and denied access, but how were you able to verify that it was "Master Paradise Trojan Horse", or what program classified the attempt as this "type"?
WeirdWeird
03-07-2003, 02:51 PM
Originally posted by vexor
I understand that you were able to tell what IP and port that was filtered and denied access, but how were you able to verify that it was "Master Paradise Trojan Horse", or what program classified the attempt as this "type"?
This is just a SWAG on my part, and feel free to flame me if I am wrong. :rolleyes:
EQ uses a random port to connect to the server, within some range that I don't recall off hand.
These ports are often little used except by malicious code. The port filter has no idea whatsoever as to the data content, they just know that “Evil Program” uses “Port 1234” all the time. Since it is unlikely that a legitimate program is using the port, the filter program posts the warning.
neonchicken
03-07-2003, 05:53 PM
It was on a PC using Norton Internet Security 2003. And I agree, It seems the software just takes the port number trying to be accessed and then search what uses those ports.
It has this visual tracking tracert feature built into it that gave me the info of where it was coming from.
/shrugs....I just posted here, since as a community, this board seems pretty helpful and always insightful.
Thanks again for the responses. Sometime soon I plan on setting up either a FreeBSD or Linux box. Surely I have alot of reading to do and knowledge to gain.
NC
nerfherder
03-08-2003, 02:57 AM
The net has no real geography. The graphic traces usually show the mailing address of who "owns" the IP space that address falls into. At best they show you the lat and long of a near router to the first hop and that is if the engineer has programmed that info into it if you can trust even that.
Again, IP could be spoofed.
I'm sure norton just looks at port. Need something like SNORT to do a true footprint of a supposed attack. Norton just too dumb and windows just too slow to make that likely.
Probably you have nothing to worry about.
If you want to install Nessus on your Linux box you can probe your windows box to make sure you are not listening at any unusual ports. .... or just update your virus software and scan memory.
Nessus + Snort.... A winning team.
Powered by vBulletin® Version 4.1.11 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.