both my servers crashed

Ron Davis ron_davis at ftml.net
Sun Apr 24 19:24:18 UTC 2005 

On Sun, 24 Apr 2005 13:16:35 +0200, "Thomas Sjögren"
<thomas at northernsecurity.net> said:
> On Sun, Apr 24, 2005 at 01:08:59PM +0200, Ron Davis wrote:
> > On second thought, I suspect that the intruder may have entered the
> > system via Tor. My system is behind a hardware firewall, which has ports
> > 9001 and 9050 forwarded only. All other ports are closed for incoming
> > traffic. While the intrusion happened, a software firewall and a virus
> > guard were running on the pc. Tor is the only application that listens
> > on 9001 and 9050. The firewall and guard both have update checkers that
> > use port 80 outgoing. No other applications were running. Is it likely
> > that un unstable Win OS starts listening on ports 9001 or 9050? 
> > 
> > OTOH, the virus guard didn't intercept the intrusion. Maybe it wasn't
> > functioning anymore because of the instable OS? Will an unstable OS open
> > ports? I'm just thinking out loud now.
> 
> Could you check the date (created, accessed, modified etc) on the unwanted 
> binaries and compare it with your tor log?
> Any general system logs available?

I'm sorry, I don't have any of that info. Tor doesn't log to a file in
my setup. And I removed the unwanted binary file as soon as my antivirus
program detected it...

> What was installed, except the known software?

Nothing malicious was installed, I just found the FTPCentre.13.A
installer exe.

> Was your AV up to date?

Yes, it has te very latest defs. 

On Sun, 24 Apr 2005 11:13:17 -0400 (EDT), "Quentin Smith"
<quentins at comclub.org> said:

> It would be helpful to know where on your system you found the binary... 

My antivirus program found the installer exe in the root of the drive
where the Program Files are. Tor has its folder there. A said, there was
no sign that it had unpacked. 

An alternative scenario is that the detection of FTPCentre.13.A is not
related to the errors in Tor 0.0.9.8. I tend to install new software on
this pc now and then. I can't preclude that some new software came
bundled with the backdoor program, which remained undetected untill
yesterday.

Cheers,
Ron
-- 
  Ron Davis
  ron_davis at ftml.net

More information about the tor-talk mailing list