If You Watched C-SPAN'S DSM LIVE THUR - TROJAN ALERT

Major Heads-up Everyone:

After watching the "DSM" Judiciary Conference video live on via C-Span's Internet web-cast Thursday, alerts came in thereafter from my Firewall Alert:

Thursday 2:54:09 PM EST: My firewall showed last night that while I was watching (Real Player) the DSM conference, some "one/thing" was "tracing me." The lined live activity US map showed it started from C-SPAN.ORG. It "pinged" far NE-easterly of Philadelphia by the Atlantic, richening straight down to somewhere in VA; from there it headed straight back to a "Satellite/Broadband" data-watch (UNK) to my city; then to D.C., then back to VA.

I've never seen anything like this. I blocked all ISP's and PORTS, yet the most frightening "Firewall Alert" traced this iss a Govt Trojan Horse. Having some of the best paid for (not freeware) firewalls/Virus Scanners/Router and Spy-ware running at all times, never has this occurred - never in years. The local site performing the pinging (tracing) was not my broadband, but was on Capital Hill merging w/Direct-TV quietly, and more publicly MCI.


USA MAP showing "as it happens" Trojan activity EXTREMELY active over TX & D.C. - everywhere else literally dead.

EXACTLY WHAT MY FIREWALL SHOWED ME: Note the USP showed as USD (?)

A computer you were communicating with at video.c-span.org has attempted to access a different port than expected (USP port 6970). USP port 6970 is commonly used by the "GateCrasher Trojan / RTSP streaming Media" service or program. Gate Crasher is a Trojan horse program. The Gate Crasher trojan uses TCP to connect. However, this port is also used to receive streaming media data in Real-Player and Quick-Time, but using UDP. If you see events on this port when attempting to open Real Audio or Quick-Time clips, You may wish to make certain that these programs have "full" and not just "outbound" permissions. If you do so, please make certain you are running the latest anti-virus application and definitions.

I was watching and I didn't receive anything here in CA.

Major Activity (LIVE FEED AS I TYPE THIS):

"ALL OVER TX & DC, yet across nation "quite as door mouse."

a bit more info for us Luddites por favor

straight from a highly sophisticated Satellite & Broadband server by UNKNOWN address. It started at C-SPAN.org.

This is not hype.

I just don't care. If we are being monitored, so the fuck what!!!!

I've had a few Trojans infect my computer. It slows the computer down, like spyware. Very annoying! People should definitely have antiviral and spyware software on their computers. My antivirus software updates with new viruses and trojans every hour, sometimes more than twice an hour! That's how common they are.

Jst not sure what that meant. The internet is hrting the junta big time. They will shut us down before they allow us to take them down. They will not give up power willingly nor peacefully. They have committed too many crimes.

Or rather uninformed conspriacy ramblings.

I'm sorry but you don't know what you're talking about, and it seems you didn't even read the entire message that your firewall gave you.

With their FIREWALL, SPYWARE and VIRUS softwares "but" look under FIREWALL. This "ping trace" verbatim, came from somewhere northeasterly above Phila. PA. It lined straight back to D.C., then switched course back to VA, back to D.C., my city and back to VA again.

Look for PORT NUMBER and BLOCK IT!

And also a private firm contracting with some big outfit in VA to do a bunch of computer stuff on the QT. My step-nephew-in-law works there.
Top of the line stuff.

I remember an old history teacher I had in high school. He was OSS during WWII then with them for a bit as they morphed into the CIA. His words to us, long ago, "Kids, if you learn nothing else from this class, learn this: The Government is NOT your friend."

Things have only gotten worse in the decades since his warning.

V - E - R - * - Z - O-N.
Get it. They made BIG deal w/ MC* & were on CAP HILL abt month back.

AT & * & I'm tracing it right now from a UNKNOWN Satellite & Broadband. I know how to trace - and how to stop it. I am under a extremely private dedicated server at that. All should just be "highly" aware.

In other words, we were being "monitored" big-time.

I see activity... gotta keep it lite. Check under inbound events.

I have cable internet and our provider had a lot of problems that day (Statewide). I couldn't get the whole hearing--I missed the first 40 minutes or so and then my feed was cut off when Nadler started to talk. I was very upset at the time, but I also don't have any trojan problems now so maybe it was for the best. I did get to see the whole hearing on C-Span 2 later that evening.

I have had Norton find lots of non-deletable files on my computer when I do the weekly scan. My son manually deleted them, and for several weeks, the scan will run with nothing found. Then, suddenly there will be 30+ files that are a potentioal problem, but can't be deleted!

I never go to music sites or porn sites or the places I would expect to find problems like this.

I'm very surprised that it can happen from viewing c-span!

Some thing advised me to check.

12.170.145.0

throughout

12.170.145.255

BAN THESE IP'S from "INCOMING." Look under you're Utility.

video.c-span.org has address 12.170.145.134

And a simple traceroute shows that their video server is probably located in or around Washington, DC. The route from my house shows them using AT&T's network for internet access. Nothing bad or evil is going on here other than the fact that you're not correctly interpreting what's going on when you're viewing online video via UDP transport.

That is who owns the address block you specified.

As is the "National Cable and Satellite Corp," which happens to run C-SPAN (see the little copyright thing at the bottom of http://www.c-span.org )

Read more about the National Cable and Satellite Corporation here: http://biz.yahoo.com/ic/121/121883.html

"If you see events on this port when attempting to open Real Audio or Quick-Time clips, You may wish to make certain that these programs have "full" and not just "outbound" permissions."

Does Realplayer have "full" permissions? I would do some more investigation before assuming this is a trojan. RP also uses port 6970

Gate Crasher looks like a pretty typical backdoor hacking program, used by enterprising hackers to gain control over your machine:

http://www.nsclean.com/psc-gc.html

But just because you have traffic on port 6970 doesn't mean you have it. Did you do an AV scan? The above link also describes how to get rid of it.

http://securityresponse.symantec.com/avcenter/venc/data...
Discovered on: June 18, 2005
Last Updated on: June 19, 2005 08:57:59 AM

Trojan.Maocal is a Trojan horse that steals information and sends it to predetermined web servers.
Type:
Trojan Horse
Infection Length:
212,992 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows
NT, Windows XP


virus definition updates are available for June 18, 2005
http://www.symantec.com/index.htm



dp

It's called "Real Time Streaming Protocol." http://www.rtsp.org /

It's nothing nasty or evil, it's just getting packets of video data to your computer over the internet. Like the firewall warning says, you should only be concerned about this firewall alert if it appears when you are not viewing streaming audio/video.

USP should be "UDP" by the way, which stands for "User Datagram Protocol."

OK, so you said you were watching C-SPAN video via RealPlayer. So why are you surprised that you're getting UDP activity on port 6970? That is what RealPlayer uses to stream the video!

Look what you posted in your message:

"this port is also used to receive streaming media data in Real-Player and Quick-Time"

The GateCrasher trojan also uses port 6970 but via TCP protocol. You don't have anything to worry about.

I might as well mention for such purposes, I use X-NetStat Professional ( www.freshsw.com/xns/pro ) to identify real threats from normal traffic .. I did write it myself

Drew

Real Alternative does the media Real Player will bt has not caused any problems

Welcome to DU!!

Real player operates over a range of ports (6970 - 7170). If the firewall has allowed only one of those ports to be accessed remotley the server may have tried to communicate with real player on another port causing your firewall to alert. The full permission will allow for that full range to be accessed.

Besides torjans don't work unless you have the "server" on your computer (meaning you are infected with a virus).

Well isan't that just great! I think I'm better than a novice, but sure no expert by any means. I do get concerned when I read this kind of stuff.

To you folks who really are Tech gurus, please don't post alarms when they really aren't. Remember the chicken and the sky is falling? All you're doing is forcing the rest of us to think all the warnings are scares.

I kinda wish this person could have passed this by a couple computer guys before coming out with an instant conspiracy theory.

With all the credit card info infringements and personal data stuff, I think everyone is very suspect of anything. I know I trust the c-span site, but I have broadband and I know there's been a lot of info on how vulnerable that can be.

{isses me off that someone would post a problem by jumping to a conslusion without checking with someone who konws better.

Just giving a frienldy heads-up. Shew. Have a ncie night

to be sure.

can't hurt anyway.
dp

Another heads-up. Nice try, Dallas!

Nothing to panic about... I just refuse to allow "them" to trace me around but moments ago while on DU tonight Sat., 11:30 a Firewall Alert came in. I got offline and traced this latest ping "it's considered an "incoming."

The Map shows this Saturday, 11:49 pm EST came from: RightBrain

Route of Incoming Unsolicitated Trace:
FROM: Dallas, TX
Routing straight-up to Baltimore
Then New York & Chicago at sametime
Then back to Dallas, TX.

Statement from Trace: "This is the route data is taking across the internet between the source (above) and your computer." The IP address has attempted an unsolicited connection to UDP port XXXX on XXX computer.

Name of Event: RightBrain

Ok... I get it now. "Right-Brain." If only they had half of one. Nice try Dallas.

the many posts pointing out that you are being alarmist and not correctly interpreting the errors your firewall is throwing at you. Thanks to the abundance of script kiddies, IP scans are nothing unusual.

Upthread you advised everyone to block the entire C-SPAN netblock. If you do that you will not be able to stream C-SPAN video:

12.170.145.128 - 12.170.145.255
NATIONAL CABLE AND SATELLITE CORP
400 N CAPITOL STREET NW
WASHINGTON, DC
US

I am in computer security for a living and this is all standard internet traffic. Auntie, if you have questions or would like more information, you can PM me. Hope this calms things down a bit, now lets all get ready to take down an evil president!

self delete

A computer at www.democraticunderground.com has attempted an unsolicited connection to TCP port 2918 on your computer.
TCP port 2918 is commonly used by the "Kasten Chase Pad" service or program.

The one in arlington virginia no less called Council of National Policy. They're a bunch of lunatics joined with PNAC. There was no way these guys got real people's addresses. Not if people here are smart *wink wink*