RE: ANOTHER possible Windows problem?

From: Sander de Rijk (s.derijk@cti-solutions.nl)
Date: Sun Jul 22 2001 - 11:53:50 PDT

  • Next message: steve: ""datapool is a DoS attacks kit" message"

    Well, 3128 is also the proxy port of Winroute.
    
    Besides that there is Sub7. This trojan lets someone control
    Your pc remote. They can do anything on your machine that
    You could also do. But Sub7 does nothing when not controlled
    So I asume your firewall takes care of that. 
    
    Besides that, I can't understand why there should be a trojan
    That changes the proxy settings of a pc.
    
    Do you have a cache.mycompany.com? It could also be a bug
    In the auto-detect proxysettings of win98
    
    Greetz,
    Sander
    
    
    -----Original Message-----
    From: David Bernick [mailto:bernzat_private] 
    Sent: Friday, July 20, 2001 10:15 PM
    To: incidentsat_private
    Subject: ANOTHER possible Windows problem?
    
    
    At around 3pm EST all of the Windows 98 boxes at my company suddenly 
    turned their proxy settings on (we don't use a proxy) and set their 
    proxy server to: cache.mycompany.com (substitute mycompany with the name
    
    of mycompany) and port 3128.
    
    Now i know port 3128 is a Squid proxy port, so i guess that makes sense,
    
    but has anyone ever seen anything like this before? the few win2k boxes 
    are fine, as are the linux boxes. Is there a trojan or something like 
    that where the payload changes proxy settings?
    
    or is it something else entirely?
    
    thanks!
    
    dave
    
    
    
    ------------------------------------------------------------------------
    ----
    
    
    This list is provided by the SecurityFocus ARIS analyzer service. For
    more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 13:03:20 PDT