dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5742
share rss forum feed


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

2 recommendations

reply to Teknikal01

Re: intruder in my network

said by Teknikal01 :

Wireless is simple unsecure - Despite the security/authentication protocols....

You would have better luck with a wired network.

And some posters would have better luck if they actually read a thread before responding to it.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL

1 recommendation

reply to anarchoi2

Have you checked to see if you can find pimp.exe anywhere on your computer?

If so, it may or may not be a problem, but this is the most authoritative source I've found:
»www.prevx.com/filenames/X1612480···EXE.html
--
"...an imbalance between rich and poor is the oldest and most fatal ailment of all republics." Plutarch
Judging other people is easy. Understanding them can break your heart.



anarchoi2

@distributel.net
reply to anarchoi2

What website was this, and what "VPN" software did you have to download / install?
First VPN was a game i bought on eBay. The seller sent me a file called
CDKEYZIP.pbk and asked me to connect to "EUROIP PPTP Ukraine" VPN

Second one was from www.direct2play.com

The game was Borderlands 2

Also agree with Bullwhip See Profile in that is the VPN software still running on Anarchoi-Pc and Anarchoi-Laptop
at the time "PIMP" is visible?
I deleted all files related to the VPN's

When i do "nbtstat" i don't see PIMP in the list even if i see it in the windows network neighboorhood. "DBTOA000" is listed twice (this is my girlfriend's laptop)

C:\Users\Anarchoi>nbtstat -c

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table de nom de cache distant NetBIOS

Nom Type Adresse d'hôte Vie [sec]
------------------------------------------------------------
ANARCHOI_LAPTOP UNIQUE 192.168.2.9 227
DBTOA000 UNIQUE 192.168.2.5 215
DBTOA000 UNIQUE 192.168.2.5 215

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table de nom de cache distant NetBIOS

Nom Type Adresse d'hôte Vie [sec]
------------------------------------------------------------
ANARCHOI_LAPTOP UNIQUE 25.207.9.158 187

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -n

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
WORKGROUP UNIQUE Inscrit
..__MSBROWSE__. Groupe Inscrit

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit

C:\Users\Anarchoi>

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -s

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table de connexion NetBIOS

Nom local État Ent/Sor Hôte Distant Entrée Sortie
---------------------------------------------------------------------------
ANARCHOI-PC Connecté Sortie DBTOA000
665B 656B

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Aucune connexion

C:\Users\Anarchoi>

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to anarchoi2

Okay, so PBK files supposedly store connection settings for Windows... dunno if you still have the file to
be reviewed and/or submitted for a malware investigation / analysis.

...and it was "nbtstat -S" (capitalized, not lower case).

Regards



anarchoi2

@distributel.net

I uploaded the file here:
»www.2shared.com/file/xJjERHDA/CDKEYZIP.html

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -S

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Aucune connexion

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Aucune connexion

C:\Users\Anarchoi>



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

A .pbk file is just a text file, not an executable, so it is unlikely that anybody's malware scanner will tell you anything. The "pbk" file extension is an acronym for "phonebook", and the file contains text parameter entries used by Windows for making dialup and VPN connections.

FWIW, here is the relevant information for the "Ukraine" entries in the file you uploaded:

[EUROIP L2TP Ukraine]
Encoding=1
Type=2
AutoLogon=0
UseRasCredentials=1
LowDateTime=-1331370144
HighDateTime=29944263
DialParamsUID=172546
Guid=7106BE987679AF4B8258EFCCADA692A5
BaseProtocol=1
VpnStrategy=3
ExcludedProtocols=2
LcpExtensions=1
DataEncryption=8
SwCompression=1
NegotiateMultilinkAlways=1
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=1
OverridePref=15
RedialAttempts=99
RedialSeconds=30
IdleDisconnectSeconds=0
RedialOnLinkFailure=0
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
ForceSecureCompartment=0
DisableIKENameEkuCheck=0
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=VPN2-0
PreferredDevice=WAN Miniport (L2TP)
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=544
TypicalAuth=2
IpPrioritizeRemote=1
IpInterfaceMetric=0
fCachedDnsSuffix=0
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=0
IpSecFlags=0
IpDnsSuffix=
IpCachedDnsSuffix=
Ipv6PrioritizeRemote=1
Ipv6InterfaceMetric=0
Ipv6NameAssign=1
Ipv6DnsAddress=::
Ipv6Dns2Address=::
Ipv6InterfaceId=0000000000000000
 
NETCOMPONENTS=
ms_server=1
ms_msclient=1
ms_psched=1
ms_nwsapagent=1
ms_nwclient=1
ms_pacer=1
cfosspeed=1
odysseyim4=1
vmware_bridge=1
 
MEDIA=rastapi
Port=VPN0-0
Device=WAN-miniport (L2TP)
 
DEVICE=vpn
PhoneNumber=ttu.15.usaip.eu
AreaCode=
CountryCode=98
CountryID=98
UseDialingRules=0
Comment=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
 
[EUROIP PPTP Ukraine]
Encoding=1
Type=2
AutoLogon=0
UseRasCredentials=1
LowDateTime=-1542958000
HighDateTime=29944249
DialParamsUID=172546
Guid=7106BE987679AF4B8258EFCCADA692A5
BaseProtocol=1
VpnStrategy=1
ExcludedProtocols=2
LcpExtensions=1
DataEncryption=8
SwCompression=1
NegotiateMultilinkAlways=1
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=1
OverridePref=15
RedialAttempts=99
RedialSeconds=30
IdleDisconnectSeconds=0
RedialOnLinkFailure=0
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
ForceSecureCompartment=0
DisableIKENameEkuCheck=0
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=VPN2-0
PreferredDevice=WAN Miniport (L2TP)
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=544
TypicalAuth=2
IpPrioritizeRemote=1
IpInterfaceMetric=0
fCachedDnsSuffix=0
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=0
IpSecFlags=1
IpDnsSuffix=
IpCachedDnsSuffix=
Ipv6PrioritizeRemote=1
Ipv6InterfaceMetric=0
Ipv6NameAssign=1
Ipv6DnsAddress=::
Ipv6Dns2Address=::
Ipv6InterfaceId=0000000000000000
 
NETCOMPONENTS=
ms_server=1
ms_msclient=1
ms_psched=1
ms_nwsapagent=1
ms_nwclient=1
ms_pacer=1
cfosspeed=1
odysseyim4=1
vmware_bridge=1
 
MEDIA=rastapi
Port=VPN0-0
Device=WAN-miniport (L2TP)
 
DEVICE=vpn
PhoneNumber=ttu.15.usaip.eu
AreaCode=
CountryCode=98
CountryID=98
UseDialingRules=0
Comment=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
 
[EUROIP SSTP Ukraine]
Encoding=1
PBVersion=1
Type=2
AutoLogon=0
UseRasCredentials=1
LowDateTime=463995664
HighDateTime=30143741
DialParamsUID=172546
Guid=7106BE987679AF4B8258EFCCADA692A5
VpnStrategy=5
ExcludedProtocols=2
LcpExtensions=1
DataEncryption=8
SwCompression=1
NegotiateMultilinkAlways=1
SkipDoubleDialDialog=0
DialMode=1
OverridePref=15
RedialAttempts=99
RedialSeconds=30
IdleDisconnectSeconds=0
RedialOnLinkFailure=0
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
ForceSecureCompartment=0
DisableIKENameEkuCheck=0
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=VPN0-0
PreferredDevice=WAN Miniport (SSTP)
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=0
AuthRestrictions=544
IpPrioritizeRemote=1
IpInterfaceMetric=0
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=0
IpSecFlags=0
IpDnsSuffix=
Ipv6Assign=1
Ipv6Address=::
Ipv6PrefixLength=0
Ipv6PrioritizeRemote=1
Ipv6InterfaceMetric=0
Ipv6NameAssign=1
Ipv6DnsAddress=::
Ipv6Dns2Address=::
Ipv6Prefix=0000000000000000
Ipv6InterfaceId=0000000000000000
DisableClassBasedDefaultRoute=0
DisableMobility=0
NetworkOutageTime=0
ProvisionType=0
PreSharedKey=
 
NETCOMPONENTS=
ms_server=1
ms_msclient=1
ms_psched=1
ms_nwsapagent=1
ms_nwclient=1
ms_pacer=1
cfosspeed=1
odysseyim4=1
vmware_bridge=1
 
MEDIA=rastapi
Port=VPN0-0
Device=WAN Miniport (SSTP)
 
DEVICE=vpn
PhoneNumber=vpn15.usaip.eu
AreaCode=
CountryCode=98
CountryID=98
UseDialingRules=0
Comment=
FriendlyName=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
 

There is no way of knowing if you were hacked while attached to that VPN server, or if what you have is something that came packaged with some game you downloaded. However, the safest thing to do would be to nuke the effected PCs from orbit, change all passwords to everything you use that uses a password, and carefully check your bank and credit card accounts for at least several months. DBAN is the ultimate malware removal tool.

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


Lagz
Premium
join:2000-09-03
The Rock

1 recommendation

reply to anarchoi2

Hamachi is a VPN. So you didn't entirely delete all the VPN software



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

2 edits

1 recommendation

said by Lagz:

Hamachi is a VPN. So you didn't entirely delete all the VPN software

And the owner of the IP address used by that Himachi connection is somewhat interesting:


% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '25.0.0.0 - 25.255.255.255'
inetnum:        25.0.0.0 - 25.255.255.255
netname:        UK-MOD-19850128
descr:          DINSA, Ministry of Defence
country:        GB
org:            ORG-DMoD1-RIPE
admin-c:        MN1891-RIPE
tech-c:         MN1891-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      UK-MOD-MNT
mnt-domains:    UK-MOD-MNT
mnt-routes:     UK-MOD-MNT
source:         RIPE # Filtered
organisation:   ORG-DMoD1-RIPE
org-name:       DINSA, Ministry of Defence
org-type:       LIR
address:        Not Published
                Not Published Not Published
                United Kingdom
phone:          +44 (0)30 677 00816
admin-c:        MN1891-RIPE
mnt-ref:        UK-MOD-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered
person:         Mathew Newton
address:        C4 Architecture
address:        UK Ministry of Defence
phone:          +44 (0)30 677 00816
abuse-mailbox:  hostmaster@mod.uk
nic-hdl:        MN1891-RIPE
source:         RIPE # Filtered
mnt-by:         UK-MOD-MNT
% Information related to '25.0.0.0/8AS5378'
route:          25.0.0.0/8
descr:          INS-MOD-NET
descr:          INSnet core/customer route
descr:          Address Space owned by MOD
descr:          see whois.arin.net
member-of:      RS-AS5378
origin:         AS5378
mnt-by:         AS5378-MNT
source:         RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.47.5 (WHOIS1)
 



My assumption was that connection was probably "work related", but...

EDIT:
OK, the Himachi/UK MoD mystery is solved:

»b.logme.in/2012/11/07/changes-to···er-19th/

The first change concerns the use of the 5.x.x.x address space. As you may or may not be aware, this address space has been allocated by IANA to RIPE NCC two years ago. RIPE NCC has been handing out these addresses to their customers, and having Hamachi active on your computer means that you’re not able to access a growing portion of the Internet. We’ve added IPv6 support to Hamachi a while back, and you can simply turn off the use of the 5/8 space, but we realize that IPv4 is still very important to most of you. Therefore we’ll be changing every Hamachi node’s address to the 25/8 space...

Why 25/8? Well, it rhymes a bit with 5/8, and furthermore, it’s a block that’s been allocated to a foreign government agency for private use for almost two decades. We have no Hamachi users from this address space, and it’s highly unlikely that the general public would need to access one of these IP addresses. However, our general recommendation is that if you can, please turn off IPv4 support in your Hamachi clients. The IPv6 space we’re using has been registered to LogMeIn, and most modern software should function perfectly without needing an IPv4 address.

So, it seems that LogMeIn/Himachi has simply hijacked the UK MoD's IPv4 address space. I can't believe that the UK MoD has not already nuked them.

OTOH, the phrase "plausible deniability" does come to mind, so maybe the UK MoD isn't really too upset about LogMeIn/Himachi spoofing their IP addresses.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


Lagz
Premium
join:2000-09-03
The Rock

2 recommendations

The 5.x.x.x address block was reserved at one time. The 5.x.x.x block was used by Hamachi to avoid collisions with private IP networks that might be in use on the client side. Hamachi was wrong to hijack the range, but if IANA has it reserved, then one might as well utilize it. I hope IANA doesn't decide to simply allocate the 10.x.x.x range at some point in the future.
--
When somebody tells you nothing is impossible, ask him to dribble a football.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to anarchoi2

So from your nbtstat output, doesn't look like PIMP is detected / resolivng from the CLI. Was PIMP
still present in Windows Explorer at the time you pulled up this output?

My only question is what this host is

DBTOA000 UNIQUE 192.168.2.5 215
 

Regards


anarchoi2

@distributel.net

Ok there's something really weird... PIMP just showed up again in my network under ANARCHOI_LAPTOP

Problem is that ANARCHOI_LAPTOP was NOT open at this time (it wasn't even in sleep mode). There was no computer at all connected to my network except my main PC (ANARCHOI-PC). But "PIMP" is showing under "ANARCHOI_LAPTOP"

See screenshot:
»www.ni-dieu-ni-maitre.com/_uploa···pwtf.png

Note: DBTOA000 was my girlfriend's laptop

So i did nbstat again. Here's the result.
25.176.120.102 is *NOT* my IP. It belongs to "Royal Signals and Radar Establishment".... WTF ???
Currently my IP is 206.80.243.*

*********************************

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -c

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Aucun nom dans le cache

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table de nom de cache distant NetBIOS

Nom Type Adresse d'hôte Vie [sec]
------------------------------------------------------------
PIMP UNIQUE 25.176.120.102 320

C:\Users\Anarchoi>

***********************************

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -n

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
WORKGROUP UNIQUE Inscrit
..__MSBROWSE__. Groupe Inscrit

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit

C:\Users\Anarchoi>

*******************************************

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -S

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Aucune connexion

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Aucune connexion

C:\Users\Anarchoi>



anarchoi2

@distributel.net
reply to anarchoi2

OMG i think i just found the source of the problem.

If i go to my network connections and turn off HAMACHI, then PIMP goes away and diseappear from my network.

However, i have been using Hamachi since almost 2 years and i have NEVER seen "PIMP" in my network. Hamachi is used by millions of users and is supposed to be clean and trojan-free. I have ran multiple anti-viruses and anti-spywares and my computer was always clean.
Hamachi is used to play games in LAN

I suppose i should uninstall it now



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to anarchoi2

said by anarchoi2 :

Ok there's something really weird... PIMP just showed up again in my network under ANARCHOI_LAPTOP...

So i did nbstat again. Here's the result.
25.176.120.102 is *NOT* my IP. It belongs to "Royal Signals and Radar Establishment".... WTF ???
Currently my IP is 206.80.243.*

See my previous reply for an explanation: »Re: intruder in my network
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to anarchoi2

said by anarchoi2 :

i have been using Hamachi since almost 2 years and i have NEVER seen "PIMP" in my network. Hamachi is used by millions of users and is supposed to be clean and trojan-free.

Forget clean and trojan free, I'm more worried about a) a misconfig in the Hamachi software itself, and b) how long "PIMP"
has been there, as from an operational perspective, "PIMP" was a computer on your LAN able to access your LAN resources
and WAN at will...

Keep off Hamachi for a week and see if "PIMP" pops back up or not... my 00000010bits

Regards