Kluge (OP)
Donator
Legendary
Offline
Activity: 1218
Merit: 1015
|
|
February 12, 2012, 07:01:40 PM |
|
ISP scares the Hell out of me. I only use it because I've moved in with family in the past month while house sells. Have mining rigs set up. Never had any problems with TWC, but Comcast seems determined to monitor EVERYTHING that goes through them.
About a month ago, Comcast insisted there was malware installed on computers in this house (family member tends to have malware on her computer, but was odd that this first came just after I set the rigs up). I checked all the computers -- nothing unusual going on, no concerning network traffic, no p2p-software (outside Bitcoin) was/is running. This morning, Comcast sent another email saying they were blocking port 25 due to "detected virus-like activity from your modem." Checked, and there's no network traffic using :25. Is this all due to Bitcoin mining traffic? Anyone have similar experiences? Becoming concerned they're going to try imposing fees or canceling service.
|
|
|
|
kjlimo
Legendary
Offline
Activity: 2114
Merit: 1031
|
|
February 12, 2012, 07:12:24 PM |
|
Interesting. I wonder if the internet service providers can somehow become overlords of the bitcoin system?
Is that a potential point of failure for the bitcoin system?
Are there ways to simply change the "port reference" to something else to keep the system going?
I'm clearly not a programmer, but I feel like this is a good discussion to vet just be sure of where the points of failure are for interested parties to attack the system.
The more we brainstorm, the better prepared we can be for any inevitable situations.
|
|
|
|
Kluge (OP)
Donator
Legendary
Offline
Activity: 1218
Merit: 1015
|
|
February 12, 2012, 07:15:56 PM Last edit: February 12, 2012, 08:42:57 PM by Kluge |
|
Interesting. I wonder if the internet service providers can somehow become overlords of the bitcoin system?
Is that a potential point of failure for the bitcoin system?
Are there ways to simply change the "port reference" to something else to keep the system going?
I'm clearly not a programmer, but I feel like this is a good discussion to vet just be sure of where the points of failure are for interested parties to attack the system.
The more we brainstorm, the better prepared we can be for any inevitable situations.
fwiw, Bitcoin doesn't use :25. Very easy to change port Bitcoin client uses, also easy to change with miners, though you're limited to whichever ports your pool op has open unless you're going solo (dunno about p2pool). I was just curious if Comcast was bumbling around with a paintbrush to say the large amount of small data exchanges between miners & pool was virus-like activity. ETA @ Mike & AB -- I think y'all are right. Every computer I run has a relatively fresh install with only mining essentials installed. There are three exceptions. On PC acts as a TV and it's possible it's infected -- I haven't checked it well. This PC acts as my general use computer... pretty confident it isn't infected, and I checked traffic with Peerblock (nothing unexpected), checked to make sure no unknown services/programs were running... no CPU clocks going to anything unknown. Other is a retired laptop, which isn't doing it. Asked relative about he own laptop, she said she ran A/V software on it, and I didn't press to check it. Getting curious, but I have other stuff to do. Will update if I find anything.
|
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
February 12, 2012, 08:00:33 PM |
|
Doubtful. You most likely have a virus on a system but aren't able to detect it.
Try getting a known-clean (new?) system and do a wire trace for 24-48 hours on the connection, see if anything comes up. And/or reformat/reinstall all your systems.
|
|
|
|
ZodiacDragon84
Sr. Member
Offline
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
|
|
February 12, 2012, 08:41:49 PM |
|
P2P is a way that botmasters can communicate with their bots. But as everyone else said, port 25 is not usually a BTC port. And remember this, a new virus is created every 3 seconds. (from what I have seen, most of them are the same viruses, they have just been crypted differently with each new iteration). On a side note, what are the odds of a malicious attacker sending bot instruction messages embedded in the block chain?
|
|
|
|
check_status
Full Member
Offline
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician
|
|
February 14, 2012, 01:27:07 AM |
|
If you have a switch that has port mirroring you can monitor all the traffic with TCPDump, limit to port 25 since you've been alerted to that. For Linux you can use Linux Malware Detect and for Windows WinMHR. They both use the Malware Hash Registry by Team Cymru which includes samples of almost all known infectors. LMD also looks for hex patterns in addition to hashes. Other options are firewall with IDS, Backtrack in a VM in bridge mode to scan your network.
|
For Bitcoin to be a true global currency the value of BTC needs always to rise. If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76. P2Pool Server List | How To's and Guides Mega List | 1 EndfedSryGUZK9sPrdvxHntYzv2EBexGA
|
|
|
jago25_98
|
|
February 14, 2012, 04:00:05 PM |
|
If you have a switch that has port mirroring you can monitor all the traffic with TCPDump, limit to port 25 since you've been alerted to that. For Linux you can use Linux Malware Detect and for Windows WinMHR. They both use the Malware Hash Registry by Team Cymru which includes samples of almost all known infectors. LMD also looks for hex patterns in addition to hashes. Other options are firewall with IDS, Backtrack in a VM in bridge mode to scan your network.
Kudos to this slick answer. Easiest is probably to monitor upstream, like on the modem/router if you can't port mirror. In a more simple way you could turn all computers on, disable auto updates etc and reset the data send/receive counters on the modem. Then leave for a day and see what traffic is sent.
|
Bitcoiner since the early days. Crypto YouTube Channel: Trading Nomads | Analyst | News Reporter | Bitcoin Hodler | Support Freedom of Speech!
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
February 14, 2012, 04:26:47 PM |
|
Another possibility is your wireless is compromised and someone is using their computer and your wireless to spam.
Port 25 block = spam and for you to get a block it is likely massive (as in tens of millions of emails).
Please tell me you aren't using WEP and if using WPA you changed the router SSID (rainbow tables with tens of millions of passwords exist for the 1000 or so most common/default SSIDs).
|
|
|
|
Kluge (OP)
Donator
Legendary
Offline
Activity: 1218
Merit: 1015
|
|
February 14, 2012, 06:10:00 PM |
|
Another possibility is your wireless is compromised and someone is using their computer and your wireless to spam.
Port 25 block = spam and for you to get a block it is likely massive (as in tens of millions of emails).
Please tell me you aren't using WEP and if using WPA you changed the router SSID (rainbow tables with tens of millions of passwords exist for the 1000 or so most common/default SSIDs).
The primary wireless router's open! It'd be surprising if any of the neighbors were able to get a signal, though, they're a good distance away. WinMHR suggested all computers (including relative's) are clean. Repeater router (which is protected) still not reporting any traffic on :25. Putting curiosity to rest, for now... Won't have to deal with Comcast for more than a couple more months, anyway.
|
|
|
|
Rassah
Legendary
Offline
Activity: 1680
Merit: 1035
|
|
February 14, 2012, 06:42:11 PM |
|
Only issues I got from them were "excessive data usage." 250gig a month limits suck. If you're using Windows, Start > Applications > System Tools > Resource Monitor lets you track all network activity on your computer at process and individual connections level. Figured that out when trying to track down what was using up 10 gigs of data a day. (Turned out to be java.exe... for no reason... AVG and Mallwarebytes didn't find anything, so I just force close it with task manager on boot)
|
|
|
|
stcupp
|
|
February 14, 2012, 08:34:06 PM Last edit: February 15, 2012, 12:09:57 AM by stcupp |
|
Only issues I got from them were "excessive data usage." 250gig a month limits suck. If you're using Windows, Start > Applications > System Tools > Resource Monitor lets you track all network activity on your computer at process and individual connections level. Figured that out when trying to track down what was using up 10 gigs of data a day. (Turned out to be java.exe... for no reason... AVG and Mallwarebytes didn't find anything, so I just force close it with task manager on boot)
I have suddenlink and their talking about putting a 80GB limit and charging extra if you use more They said 80 GB is the average that is used in a month!?!? WTF lol I use more like 800GB a month anyway port 25 is a SMTP email port so you most likely have a virus sending shit tons of spam Some nasty viruses hook into your kernal at boot and will feed you anti virus fake info so it doesn't get detected heres one for example: http://resources.infosecinstitute.com/tdss4-part-1/They call it the "Indestructible Botnet" If you have something like that it will survive even after wiping your hard drive and reinstalling your OS
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
February 14, 2012, 10:08:11 PM |
|
Only issues I got from them were "excessive data usage." 250gig a month limits suck. If you're using Windows, Start > Applications > System Tools > Resource Monitor lets you track all network activity on your computer at process and individual connections level. Figured that out when trying to track down what was using up 10 gigs of data a day. (Turned out to be java.exe... for no reason... AVG and Mallwarebytes didn't find anything, so I just force close it with task manager on boot)
I have suddenlink and their talking about putting a 80GB limit and charging extra if you use more They said 80 GB is the average that is used in a month!?!? WTF lol I use more like 800GB a month anyway port 25 is a SMTP email port so you most likely have a virus sending shit tons of spam Some nasty viruses hook into your kernal at boot and will feed you anti virus fake info so it doesn't get detected heres one for example:http://resources.infosecinstitute.com/tdss4-part-1/ They call it the "Indestructible Botnet" If you have something like that it will survive even after wiping your hard drive and reinstalling your OSMy bullshit-o-meter almost exploded when I read that.
|
|
|
|
P4man
|
|
February 14, 2012, 10:21:14 PM |
|
My bullshit-o-meter almost exploded when I read that.
Actually, if you follow his link, then it depends how you define wiping the drive (dd'ing will definitely do it, but a quickformat might not) and depending if windows upon reinstallation always rewrites the bootloader if there is already one. Im not 100% certain about that. That said, there are possibilities to infect machines that resist any hdd wipe or even replacement. If you have an intel machine with "Vpro" / VT-d, then its theoretically possible to have a rootkit in the Vpro controller. Really scary stuff: http://invisiblethingslab.com/press/itl-press-2009-03.pdfhttp://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdfGets even scarier if you consider the possibility intel just hands over the private keys to 3 letter agencies, which could thereby obtain full remote access to your machine with no way for you to detect it or prevent it. The VPro controller has access to your network, hdd, display buffer, ram, heck even webcam. Like I said, scary.
|
|
|
|
stcupp
|
|
February 15, 2012, 12:40:28 AM |
|
My bullshit-o-meter almost exploded when I read that.
Actually, if you follow his link, then it depends how you define wiping the drive (dd'ing will definitely do it, but a quickformat might not) and depending if windows upon reinstallation always rewrites the bootloader if there is already one. Im not 100% certain about that. That said, there are possibilities to infect machines that resist any hdd wipe or even replacement. If you have an intel machine with "Vpro" / VT-d, then its theoretically possible to have a rootkit in the Vpro controller. Really scary stuff: http://invisiblethingslab.com/press/itl-press-2009-03.pdfhttp://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdfGets even scarier if you consider the possibility intel just hands over the private keys to 3 letter agencies, which could thereby obtain full remote access to your machine with no way for you to detect it or prevent it. The VPro controller has access to your network, hdd, display buffer, ram, heck even webcam. Like I said, scary. TDL4 will live through a simple format and reinstallation of the OS... I've done a lot of research on this and even wrote a kernal level boot loader for proof of concept in ASM and C.... Heres a good article on the bootloader if your interested: http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4#2and another very detailed article on how everything works: http://www.securelist.com/en/analysis/204792180/TDL4_Top_BotAccording to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world. TDL4 is probably the most advanced trojan i've ever seen
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
February 15, 2012, 06:02:51 PM |
|
My bullshit-o-meter almost exploded when I read that.
Actually, if you follow his link, then it depends how you define wiping the drive (dd'ing will definitely do it, but a quickformat might not) and depending if windows upon reinstallation always rewrites the bootloader if there is already one. Im not 100% certain about that. That said, there are possibilities to infect machines that resist any hdd wipe or even replacement. If you have an intel machine with "Vpro" / VT-d, then its theoretically possible to have a rootkit in the Vpro controller. Really scary stuff: http://invisiblethingslab.com/press/itl-press-2009-03.pdfhttp://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdfGets even scarier if you consider the possibility intel just hands over the private keys to 3 letter agencies, which could thereby obtain full remote access to your machine with no way for you to detect it or prevent it. The VPro controller has access to your network, hdd, display buffer, ram, heck even webcam. Like I said, scary. TDL4 will live through a simple format and reinstallation of the OS... I've done a lot of research on this and even wrote a kernal level boot loader for proof of concept in ASM and C.... Heres a good article on the bootloader if your interested: http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4#2and another very detailed article on how everything works: http://www.securelist.com/en/analysis/204792180/TDL4_Top_BotAccording to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world. TDL4 is probably the most advanced trojan i've ever seen Interesting, another MBR/BCD virus. So yes, a simple reinstall might not wipe it out, but deleting all partitions and then starting fresh ought to work, right? In any case, those articles indicate that there are ways to detect it, and Kaspersky already has a tool to remove it.
|
|
|
|
Herodes
|
|
February 15, 2012, 08:09:53 PM |
|
ISP scares the Hell out of me. I only use it because I've moved in with family in the past month while house sells. Have mining rigs set up. Never had any problems with TWC, but Comcast seems determined to monitor EVERYTHING that goes through them.
About a month ago, Comcast insisted there was malware installed on computers in this house (family member tends to have malware on her computer, but was odd that this first came just after I set the rigs up). I checked all the computers -- nothing unusual going on, no concerning network traffic, no p2p-software (outside Bitcoin) was/is running. This morning, Comcast sent another email saying they were blocking port 25 due to "detected virus-like activity from your modem." Checked, and there's no network traffic using :25. Is this all due to Bitcoin mining traffic? Anyone have similar experiences? Becoming concerned they're going to try imposing fees or canceling service.
It's possible that your computer is infected by malware that sends out spam. As mentioned in this thread, port 25 is used for sending e-mail. Even if you check with anti-virus programs, there's a small possibility that the malware in question goes under the radar. Also, you'd had to constantly monitor that port to ensure there's no activity on it. For all you know, the activity may happen when you're not acitvely using your computer. Another possibility is that Comcast somehow have target you in error, this may happen as well. Anyway, if you get port 25 blocked, unless you need it to send e-mail (perhaps you could use another port, or another service), you should be fine. Bitcoin doesn't use port 25. Another possibility is that your miner is infected with malware, if you run binary version you downloaded from the web, you really don't know what's inside that binary, but if you download from a 'trusted' source, you should generally be fine. In summary, there could be many reasons for this happening, and don't freak out in regards to the bitcoin mining, I don't think this is what they're targetting here. If you wanted to monitor all network traffic, you must set up a program that can monitor all ports around the clock and which programs are causing the traffic. Perhaps you could call their tech department, and tell them that you've received their notification, but you couldn't find any suspicious activity on your pc. Then they could (if they want) tell you what they're detecting on their side. No need to mention the bitcoin mining to them at all if calling in, I'm pretty sure that's not the culprint here.
|
|
|
|
check_status
Full Member
Offline
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician
|
|
February 15, 2012, 10:15:26 PM |
|
Interesting, another MBR/BCD virus. So yes, a simple reinstall might not wipe it out, but deleting all partitions and then starting fresh ought to work, right? The malware partition is outside of the OS written directly to the drive. What value is there in deleting the partition table? Wiping with a zero write solution is the only way to delete this type of malware. Reinstall from clean backups. There is another type of malware that can be written to the network ROM, usually a card with boot from network ROM, with additional jump instruction in the BIOS to initiate the infector at boot. DualComm has a cheap Port Mirroring solution USB Powered. 5 ports 1 hardwired for port mirroring: DCSW-1005 $59.95 http://dual-comm.com/port-mirroring-LAN_switch.htm
|
For Bitcoin to be a true global currency the value of BTC needs always to rise. If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76. P2Pool Server List | How To's and Guides Mega List | 1 EndfedSryGUZK9sPrdvxHntYzv2EBexGA
|
|
|
Rassah
Legendary
Offline
Activity: 1680
Merit: 1035
|
|
February 15, 2012, 11:05:02 PM |
|
When I install (or reinstall) Windows, I usually wipe all partitions before installing. The partition manager shows all partitions on the disk, including system, mbr, and any strange ones. I assume any virus partitions would still show up and get wiped on reinstall?
|
|
|
|
P4man
|
|
February 15, 2012, 11:22:28 PM |
|
When I install (or reinstall) Windows, I usually wipe all partitions before installing. The partition manager shows all partitions on the disk, including system, mbr, and any strange ones. I assume any virus partitions would still show up and get wiped on reinstall?
The partition would be hidden. Not in the sense that it has the H attribute in the partition table, but that its not in the partition table and would appear to be unpartitioned space. But unless the virus has infected your bios or some other eeprom, having such unpartitioned space should be pretty harmless by itself. It still requires an infected bootloader to actually be able to read and execute whats on there. IOW, the crucial part is probably erasing the MBR and bootloader (and praying your bios, nic, and VT-d are clean). But why take chances, just zero fill the drive.
|
|
|
|
check_status
Full Member
Offline
Activity: 196
Merit: 100
Web Dev, Db Admin, Computer Technician
|
|
February 16, 2012, 03:58:10 AM |
|
It would be sad to see "Trashing the Motherboard" as a viable option for malware remediation.
|
For Bitcoin to be a true global currency the value of BTC needs always to rise. If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76. P2Pool Server List | How To's and Guides Mega List | 1 EndfedSryGUZK9sPrdvxHntYzv2EBexGA
|
|
|
|