Re: What is this in my syslog????????

To: Debian-user <debian-user@lists.debian.org>
Subject: Re: What is this in my syslog????????
From: Nate Duehr <nate@natetech.com>
Date: Mon, 06 Nov 2006 00:54:47 -0700
Message-id: <[🔎] 454EEA47.1000202@natetech.com>
In-reply-to: <[🔎] 200611061813.45360.rose_snug@bigpond.com>
References: <[🔎] 200611061813.45360.rose_snug@bigpond.com>

M-L wrote:

I have this in my syslog while downloading the latest updates from Debian?
My computer drops off the modem. the modem is still connected but ppp is not,the computer doesn't respond to being on the net/
I don't use chat and wonder if the machine is actually breached by intruders?

Charlie
Nov 6 17:59:41 taogypsy chat[7793]: Virus Infection and Unexpected ComputerShutdowns^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Affected Software: ^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Workstation ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Server 4.0 ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows 2000   ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows XP  ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Win98   ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Server 2003^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Non Affected Software: ^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Millennium Edition^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov 6 17:59:41 taogypsy chat[7793]: Your system is affected, download thepatch from the address below ! ^MNov 6 17:59:41 taogypsy chat[7793]: FIRST TYPE THE ADDRESS BELOW INTO YOURINTERNET BROWSER, THEN CLICK 'OK
Nov  6 17:59:41 taogypsy chat[7793]:  -- got it
Nov  6 17:59:41 taogypsy chat[7793]: send (ATDT0198308888^M)
Nov  6 17:59:41 taogypsy chat[7793]: expect (CONNECT)
Nov  6 17:59:41 taogypsy chat[7793]: '.^M
Nov 6 17:59:41 taogypsy chat[7793]: THE ADDRESS WILL DISAPPEAR ONCE YOUCLICK 'OK'.^M
Nov  6 17:59:41 taogypsy chat[7793]: ^M
Nov 6 17:59:41 taogypsy chat[7793]:www.patchupdate.info^M

This looks a lot like your chatscript for the PPP connection has beenoverwritten by an e-mail about a virus or similar text message.

Very strange, but not quite enough to say the box is compromised -- itcould simply be that the file somehow got overwritten with an errant cutand paste or similar.

Definitely worth checking into, though -- look into your /etc/pppdirectory and associated files. Also, you don't mention which (if any)GUI-based dialer that you use, but it could be stored in a configurationfile from one of those also -- again, likely an errant cut and paste orsimilar.

Go hunting with GREP to find the script or configuation file thatcontains one of the phrases from that chat log -- like "THE ADDRESS WILLDISAPPEAR" for example. Hunt the whole box if you have to, but youshould be able to find out where that's coming from...


Nate

Reply to:

Follow-Ups:
- Re: What is this in my syslog????????
  - From: M-L <rose_snug@bigpond.com>

References:
- What is this in my syslog????????
  - From: M-L <rose_snug@bigpond.com>

Prev by Date: Re: Video in mozilla/firefox
Next by Date: Re: What is this in my syslog????????
Previous by thread: What is this in my syslog????????
Next by thread: Re: What is this in my syslog????????
Index(es):
- Date
- Thread