Re: What is this in my syslog????????

To: debian-user@lists.debian.org
Subject: Re: What is this in my syslog????????
From: M-L <rose_snug@bigpond.com>
Date: Mon, 6 Nov 2006 19:30:23 +1100
Message-id: <[🔎] 200611061930.24015.rose_snug@bigpond.com>
In-reply-to: <[🔎] 454EEA47.1000202@natetech.com>
References: <[🔎] 200611061813.45360.rose_snug@bigpond.com> <[🔎] 454EEA47.1000202@natetech.com>

On Monday 06 November 2006 18:54, Nate Duehr shared this with us all:
>--> M-L wrote:
>--> > I have this in my syslog while downloading the latest updates from
> Debian? --> >
>--> > My computer drops off the modem. the modem is still connected but ppp
> is not, --> > the computer doesn't respond to being on the net/
>--> >
>--> > I don't use chat and wonder if the machine is actually breached by
> intruders? --> >
>--> > Charlie
>--> >
>--> > Nov  6 17:59:41 taogypsy chat[7793]: Virus Infection and Unexpected
> Computer --> > Shutdowns^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: Affected Software: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Workstation
> ^M --> > Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows NT Server
> 4.0 ^M --> > Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows 2000  
> ^M --> > Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows XP  ^M -->
> > Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Win98   ^M --> >
> Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Server 2003^M --> >
> Nov  6 17:59:41 taogypsy chat[7793]: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: Non Affected Software: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: Microsoft Windows Millennium
> Edition^M --> > Nov  6 17:59:41 taogypsy chat[7793]: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: Your system is affected, download
> the --> > patch from the address below ! ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: FIRST TYPE THE ADDRESS BELOW INTO
> YOUR --> > INTERNET BROWSER, THEN CLICK 'OK
>--> > Nov  6 17:59:41 taogypsy chat[7793]:  -- got it
>--> > Nov  6 17:59:41 taogypsy chat[7793]: send (ATDT0198308888^M)
>--> > Nov  6 17:59:41 taogypsy chat[7793]: expect (CONNECT)
>--> > Nov  6 17:59:41 taogypsy chat[7793]: '.^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: THE ADDRESS WILL DISAPPEAR ONCE
> YOU --> > CLICK 'OK'.^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]: ^M
>--> > Nov  6 17:59:41 taogypsy chat[7793]:
>--> > www.patchupdate.info^M
>--> >
>-->
>-->
>--> This looks a lot like your chatscript for the PPP connection has been
>--> overwritten by an e-mail about a virus or similar text message.
>-->
>--> Very strange, but not quite enough to say the box is compromised -- it
>--> could simply be that the file somehow got overwritten with an errant cut
>--> and paste or similar.
>-->
>--> Definitely worth checking into, though -- look into your /etc/ppp
>--> directory and associated files.  Also, you don't mention which (if any)
>--> GUI-based dialer that you use, but it could be stored in a configuration
>--> file from one of those also -- again, likely an errant cut and paste or
>--> similar.
>-->
>--> Go hunting with GREP to find the script or configuation file that
>--> contains one of the phrases from that chat log -- like "THE ADDRESS WILL
>--> DISAPPEAR" for example.  Hunt the whole box if you have to, but you
>--> should be able to find out where that's coming from...
>-->
>--> Nate

Thanks Nate,

I stopped downloading, on dialup 31.2 kbps [and looking at 8 hours]
Installed chkrootkit which found nothing infected or out of place.

I use pon, is that a GUI dialer?

My system is secure and in full stealth mode according to http://www.grc.com

I will learn how to use grep and see what I can come up with.

This is an Acer lappy, on which I never removed the XP windows system from 
because I needed it straight away, and didn't know if I could get Sarge or 
Etch installed without problems, and was going to blow XP away as soon as 
Etch went stable. So I just shrank the windows partition and created the ones 
I wanted for Etch. It worked and I left it like that for now.

I am wondering if Acer added something as an automagic upgrade. In the BIOS?

But i will try to discover how grep works and find the string.

Thanks again.
Charlie

-- 
Registered Linux User:- 329524
+++++++++++++++++++++++++++++++++++
Men are equal; it is not birth but virtue that makes the 
difference. ......................Voltaire

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Linux Debian Etch

Reply to:

Follow-Ups:
- Re: What is this in my syslog????????
  - From: Hugo Vanwoerkom <hvw59601@care2.com>
- Re: What is this in my syslog????????
  - From: Jochen Schulz <ml@well-adjusted.de>

References:
- What is this in my syslog????????
  - From: M-L <rose_snug@bigpond.com>
- Re: What is this in my syslog????????
  - From: Nate Duehr <nate@natetech.com>

Prev by Date: Re: What is this in my syslog????????
Next by Date: Re: cable modem connection slower than dial up
Previous by thread: Re: What is this in my syslog????????
Next by thread: Re: What is this in my syslog????????
Index(es):
- Date
- Thread