herme3 Posted March 4, 2006 Posted March 4, 2006 Some of you might remember the thread I created a while ago when my computer was infected with the Haxdoor virus. This is a very bad virus, because none of the AntiVirus programs can delete it. It was a huge pain, but I finally found a way to delete it with the help of several SFN members, especially Dak and Cap'n Refsmmat. Well, it appears that Haxdoor is spreading again! It came into one of my other computers, but I deleted it using the same steps that I used the first time. It will still log your keystrokes and send them to other servers. The IP addresses for the servers appear to be: 212.27.63.103 and 67.15.35.7 Why haven't these servers been shutdown yet? I sent the IP addresses to several major online security companies, but the servers are still running! The IP addresses go to apache servers without any content, so it seems pretty obvious that there is something suspicious about them. Can anyone trace these servers to see where they are located? Just curious, but would it be illegal to hack into these servers that you know are illegally collecting personal information about people? I'm not a hacker, but I was just wondering because I'm sure that some of my personal information is on these servers. If the law wouldn't protect these illegal servers, it might help a lot of people if someone went in and wiped out all of the data in them.
Klaynos Posted March 4, 2006 Posted March 4, 2006 Some of you might remember the thread I created a while ago when my computer was infected with the Haxdoor virus. This is a very bad virus' date=' because none of the AntiVirus programs can delete it. It was a huge pain, but I finally found a way to delete it with the help of several SFN members, especially Dak and Cap'n Refsmmat. Well, it appears that Haxdoor is spreading again! It came into one of my other computers, but I deleted it using the same steps that I used the first time. It will still log your keystrokes and send them to other servers. The IP addresses for the servers appear to be: 212.27.63.103 and 67.15.35.7 Why haven't these servers been shutdown yet? I sent the IP addresses to several major online security companies, but the servers are still running! The IP addresses go to apache servers without any content, so it seems pretty obvious that there is something suspicious about them. Can anyone trace these servers to see where they are located? Just curious, but would it be illegal to hack into these servers that you know are illegally collecting personal information about people? I'm not a hacker, but I was just wondering because I'm sure that some of my personal information is on these servers. If the law wouldn't protect these illegal servers, it might help a lot of people if someone went in and wiped out all of the data in them.[/quote'] You'd probably have to contact the ISP which leases the IP to that connection to get it closed, they may well then just connect to another ISP, or be rooted servers, and the people who run them have no idea what's happening. and the chances are that there are many differnt strains of the virus around all giving differnt servers as soon as one is removed another is setup by someone etc... And yes it would be illegal. Also there is nothing that unuseuale about the Apache holding page on a server, many people leave it there for years...
herme3 Posted March 4, 2006 Author Posted March 4, 2006 You'd probably have to contact the ISP which leases the IP to that connection to get it closed, they may well then just connect to another ISP, or be rooted servers, and the people who run them have no idea what's happening. and the chances are that there are many differnt strains of the virus around all giving differnt servers as soon as one is removed another is setup by someone etc... I'm not sure who the ISP is. The IP addresses have not been removed or changed. And yes it would be illegal. Why would the law be interested in protecting these servers? I'm sure that they contain personal information from everyone who had their computer infected by Haxdoor. These servers appear to still be receiving information. The creators of Haxdoor could probably access this information anytime they want, so somebody should find a way to delete it. Also there is nothing that unuseuale about the Apache holding page on a server, many people leave it there for years... Yes, but I looked at the logs of a security program I installed on my computer. I saw the Haxdoor virus sending data from my computer to those IP addresses.
Cap'n Refsmmat Posted March 4, 2006 Posted March 4, 2006 The first ISP is Proxad in France, abuse email address abuse@proxad.net The second address is unspecified and could have been allocated to anybody. http://www.ripe.net/whois
Klaynos Posted March 4, 2006 Posted March 4, 2006 Why would the law be interested in protecting these servers? I'm sure that they contain personal information from everyone who had their computer infected by Haxdoor. These servers appear to still be receiving information. The creators of Haxdoor could probably access this information anytime they want' date=' so somebody should find a way to delete it. [/quote'] Because the law protects everyone,. Just to note it was just a comment about apache, I wasn't disputing that those IP's where really data collection servers, but they much just be a node to bounce the data off of, in which case I'm sure the ISP would still be interested in.
insane_alien Posted March 5, 2006 Posted March 5, 2006 How do you get the virus? click on this link . hehe
Dak Posted March 5, 2006 Posted March 5, 2006 How do you keep geting haxdoor, herme3? FYI: Theres been a fix developed since you last got it... here it is, incase you get it again (might be worth running it on the machine you just cleaned, incase any left-over bits of haxdoor are still present). d/l and install haxfix.exe. It'll ask you to 'Insert the haxdoor notify subkey without the numbers, and then press enter'... basically, one visable part of the rootkit is called random32.dll (or random16.dll for the newer ones) and is set to auto-run by a winlogon/notify reg-entry... so, look in your winlogon/notify key, find the random32.dll, and type the 'random' bit in. eg, in your last example, avpe32.dll was set to run via a winlogon/notify entry, so you'd have entered 'avpe' Then it should fix it for you. If you're feeling in a complaining mood, then, aswell as what cap'n said, you might want to check out http://www.malwarecomplaints.info/index.php It has localised instructions on how to complain about malware/who to complain to, and also acts as a recepticle for complaints, so that they can be monitored by the relevent govournmental agencies. also, if you plonk the IPs up there, somone will either report them or add up a tutorial on how to report bad IP's, so that may do something to get the servers shut down, although tbh haxdoor's set up an IRC network... i dont really know anything about IRC, but its possible (probable?) that the IP's are just other infected machines, rather than the hackers own site. Finally... if this is a work computer, i'd strongly reccomend reformat/reinstall.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now