Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

If You Watched C-SPAN'S DSM LIVE THUR - TROJAN ALERT

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » Archives » General Discussion (Through 2005) Donate to DU
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:01 PM
Original message
If You Watched C-SPAN'S DSM LIVE THUR - TROJAN ALERT
Edited on Sat Jun-18-05 10:05 PM by AuntiBush
Major Heads-up Everyone:

After watching the "DSM" Judiciary Conference video live on via C-Span's Internet web-cast Thursday, alerts came in thereafter from my Firewall Alert:

Thursday 2:54:09 PM EST: My firewall showed last night that while I was watching (Real Player) the DSM conference, some "one/thing" was "tracing me." The lined live activity US map showed it started from C-SPAN.ORG. It "pinged" far NE-easterly of Philadelphia by the Atlantic, richening straight down to somewhere in VA; from there it headed straight back to a "Satellite/Broadband" data-watch (UNK) to my city; then to D.C., then back to VA.

I've never seen anything like this. I blocked all ISP's and PORTS, yet the most frightening "Firewall Alert" traced this iss a Govt Trojan Horse. Having some of the best paid for (not freeware) firewalls/Virus Scanners/Router and Spy-ware running at all times, never has this occurred - never in years. The local site performing the pinging (tracing) was not my broadband, but was on Capital Hill merging w/Direct-TV quietly, and more publicly MCI.


USA MAP showing "as it happens" Trojan activity EXTREMELY active over TX & D.C. - everywhere else literally dead.

EXACTLY WHAT MY FIREWALL SHOWED ME: Note the USP showed as USD (?)

A computer you were communicating with at video.c-span.org has attempted to access a different port than expected (USP port 6970). USP port 6970 is commonly used by the "GateCrasher Trojan / RTSP streaming Media" service or program. Gate Crasher is a Trojan horse program. The Gate Crasher trojan uses TCP to connect. However, this port is also used to receive streaming media data in Real-Player and Quick-Time, but using UDP. If you see events on this port when attempting to open Real Audio or Quick-Time clips, You may wish to make certain that these programs have "full" and not just "outbound" permissions. If you do so, please make certain you are running the latest anti-virus application and definitions.
Printer Friendly | Permalink |  | Top
 
goclark Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:04 PM
Response to Original message
1. Kick for more responses


I was watching and I didn't receive anything here in CA.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:08 PM
Response to Reply #1
2. TONIGHT ALERT: MAJOR HEAVY ACTIVITY OVER DC/TX
Major Activity (LIVE FEED AS I TYPE THIS):

"ALL OVER TX & DC, yet across nation "quite as door mouse."
Printer Friendly | Permalink |  | Top
 
havocmom Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:10 PM
Response to Reply #2
6. Major alert for what?
a bit more info for us Luddites por favor
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:15 PM
Response to Reply #6
12. We are being monitored...
straight from a highly sophisticated Satellite & Broadband server by UNKNOWN address. It started at C-SPAN.org.

This is not hype.
Printer Friendly | Permalink |  | Top
 
Just Me Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:19 PM
Response to Reply #12
15. Um, I don't care.
I just don't care. If we are being monitored, so the fuck what!!!!
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:05 PM
Response to Reply #15
37. Agreed. I'm F'um w/them right back ;)
Printer Friendly | Permalink |  | Top
 
wookie294 Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:14 PM
Response to Reply #15
43. Being monitored sucks !
I've had a few Trojans infect my computer. It slows the computer down, like spyware. Very annoying! People should definitely have antiviral and spyware software on their computers. My antivirus software updates with new viruses and trojans every hour, sometimes more than twice an hour! That's how common they are.
Printer Friendly | Permalink |  | Top
 
havocmom Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:30 PM
Response to Reply #12
23. Oh, I definately believe we are monitored
Jst not sure what that meant. The internet is hrting the junta big time. They will shut us down before they allow us to take them down. They will not give up power willingly nor peacefully. They have committed too many crimes.
Printer Friendly | Permalink |  | Top
 
high density Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:35 PM
Response to Reply #12
26. Yeah, it is hype
Or rather uninformed conspriacy ramblings.

I'm sorry but you don't know what you're talking about, and it seems you didn't even read the entire message that your firewall gave you.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:06 PM
Response to Reply #26
38. Respectfully, I do know. Thought I'd be of help.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:10 PM
Response to Reply #1
5. Thanks. Everyone should check their "INCOMING ACTIVITY"
Edited on Sat Jun-18-05 10:10 PM by AuntiBush
With their FIREWALL, SPYWARE and VIRUS softwares "but" look under FIREWALL. This "ping trace" verbatim, came from somewhere northeasterly above Phila. PA. It lined straight back to D.C., then switched course back to VA, back to D.C., my city and back to VA again.

Look for PORT NUMBER and BLOCK IT!
Printer Friendly | Permalink |  | Top
 
havocmom Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:08 PM
Response to Original message
3. ping to VA? Isn't that where they keep Langley and all the spooks?
And also a private firm contracting with some big outfit in VA ;) to do a bunch of computer stuff on the QT. My step-nephew-in-law works there.
Top of the line stuff.

I remember an old history teacher I had in high school. He was OSS during WWII then with them for a bit as they morphed into the CIA. His words to us, long ago, "Kids, if you learn nothing else from this class, learn this: The Government is NOT your friend."

Things have only gotten worse in the decades since his warning.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:11 PM
Response to Reply #3
8. Thank you for saying it. Yes! Get it.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:13 PM
Response to Reply #3
11. Look at Post.
V - E - R - * - Z - O-N.
Get it. They made BIG deal w/ MC* & were on CAP HILL abt month back.

AT & * & I'm tracing it right now from a UNKNOWN Satellite & Broadband. I know how to trace - and how to stop it. I am under a extremely private dedicated server at that. All should just be "highly" aware.

In other words, we were being "monitored" big-time.
Printer Friendly | Permalink |  | Top
 
dooner Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:08 PM
Response to Original message
4. Sounds like something the average Internet user wouldn't notice?
Edited on Sat Jun-18-05 10:09 PM by dooner
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:17 PM
Response to Reply #4
13. Exactly. Novice, maybe...
I see activity... gotta keep it lite. Check under inbound events.
Printer Friendly | Permalink |  | Top
 
samdogmom Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:10 PM
Response to Original message
7. I watched live with Real Player
I have cable internet and our provider had a lot of problems that day (Statewide). I couldn't get the whole hearing--I missed the first 40 minutes or so and then my feed was cut off when Nadler started to talk. I was very upset at the time, but I also don't have any trojan problems now so maybe it was for the best. I did get to see the whole hearing on C-Span 2 later that evening.
Printer Friendly | Permalink |  | Top
 
napi21 Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:11 PM
Response to Original message
9. WOW, you're a lot better at tech stuff than I am. I must tell ya
I have had Norton find lots of non-deletable files on my computer when I do the weekly scan. My son manually deleted them, and for several weeks, the scan will run with nothing found. Then, suddenly there will be 30+ files that are a potentioal problem, but can't be deleted!

I never go to music sites or porn sites or the places I would expect to find problems like this.

I'm very surprised that it can happen from viewing c-span!
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:18 PM
Response to Reply #9
14. NOTE: This is NOT showing under Regular ALERTS.
Some thing advised me to check.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:21 PM
Response to Reply #14
16. Look for this:
12.170.145.0

throughout

12.170.145.255

BAN THESE IP'S from "INCOMING." Look under you're Utility.
Printer Friendly | Permalink |  | Top
 
Coexist Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:22 PM
Response to Reply #16
18. how?
Printer Friendly | Permalink |  | Top
 
high density Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:39 PM
Response to Reply #16
28. Uhhh, that's C-SPAN's video server sending you video data!!
Edited on Sat Jun-18-05 10:57 PM by high density
video.c-span.org has address 12.170.145.134

And a simple traceroute shows that their video server is probably located in or around Washington, DC. The route from my house shows them using AT&T's network for internet access. Nothing bad or evil is going on here other than the fact that you're not correctly interpreting what's going on when you're viewing online video via UDP transport.
Printer Friendly | Permalink |  | Top
 
kittenpants Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:40 PM
Response to Reply #16
29. Why do you want us to block America Coming Together?
That is who owns the address block you specified.
Printer Friendly | Permalink |  | Top
 
high density Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:45 PM
Response to Reply #29
31. Heh, yup ACT is in that block
Edited on Sat Jun-18-05 10:53 PM by high density
As is the "National Cable and Satellite Corp," which happens to run C-SPAN (see the little copyright thing at the bottom of http://www.c-span.org )

Read more about the National Cable and Satellite Corporation here: http://biz.yahoo.com/ic/121/121883.html

National Cable Satellite Corporation is a political junkie. The not-for-profit company (better known as C-SPAN, which stands for Cable Satellite Public Affairs Network) was created in 1979 by the cable industry as a public service to provide live coverage of the US House of Representatives. The corporation's C-SPAN, C-SPAN2, and C-SPAN3 air public proceedings such as congressional sessions, White House press briefings and speeches, British House of Commons sessions, and other political and public affairs programs. C-SPAN also runs a radio network with content similar to its TV broadcasts, and publishes six Web sites. The company gets its funds from monthly license fees paid by cable television systems.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:07 PM
Response to Reply #31
39. Thanks.
Printer Friendly | Permalink |  | Top
 
knowbody0 Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:12 PM
Response to Original message
10. KICK
Printer Friendly | Permalink |  | Top
 
THX1138 Donating Member (276 posts) Send PM | Profile | Ignore Sat Jun-18-05 10:22 PM
Response to Original message
17. From the error
"If you see events on this port when attempting to open Real Audio or Quick-Time clips, You may wish to make certain that these programs have "full" and not just "outbound" permissions."

Does Realplayer have "full" permissions? I would do some more investigation before assuming this is a trojan. RP also uses port 6970

Gate Crasher looks like a pretty typical backdoor hacking program, used by enterprising hackers to gain control over your machine:

http://www.nsclean.com/psc-gc.html

But just because you have traffic on port 6970 doesn't mean you have it. Did you do an AV scan? The above link also describes how to get rid of it.
Printer Friendly | Permalink |  | Top
 
dweller Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:23 PM
Response to Original message
19. Norton has info on new Trojan.Maocal
http://securityresponse.symantec.com/avcenter/venc/data...
Discovered on: June 18, 2005
Last Updated on: June 19, 2005 08:57:59 AM

Trojan.Maocal is a Trojan horse that steals information and sends it to predetermined web servers.
Type:
Trojan Horse
Infection Length:
212,992 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows
NT, Windows XP


virus definition updates are available for June 18, 2005
http://www.symantec.com/index.htm

:shrug:

dp
Printer Friendly | Permalink |  | Top
 
Rainscents Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:56 PM
Response to Reply #19
34. Hey thanks! Is this mean, I get a daily update?
Edited on Sat Jun-18-05 10:58 PM by Rainscents
Printer Friendly | Permalink |  | Top
 
fooj Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:26 PM
Response to Original message
20. Aunti- I just recommended! You are right to warn us! Thanks!
:hide:
Printer Friendly | Permalink |  | Top
 
high density Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:30 PM
Response to Original message
21. RTSP streaming media is the transport that was used for the video stream
Edited on Sat Jun-18-05 10:30 PM by high density
It's called "Real Time Streaming Protocol." http://www.rtsp.org /

It's nothing nasty or evil, it's just getting packets of video data to your computer over the internet. Like the firewall warning says, you should only be concerned about this firewall alert if it appears when you are not viewing streaming audio/video.

USP should be "UDP" by the way, which stands for "User Datagram Protocol."
Printer Friendly | Permalink |  | Top
 
drfresh Donating Member (424 posts) Send PM | Profile | Ignore Sat Jun-18-05 10:30 PM
Response to Original message
22. Dude, are you sure?
Edited on Sat Jun-18-05 10:46 PM by drfresh
OK, so you said you were watching C-SPAN video via RealPlayer. So why are you surprised that you're getting UDP activity on port 6970? That is what RealPlayer uses to stream the video!

Look what you posted in your message:

"this port is also used to receive streaming media data in Real-Player and Quick-Time"

The GateCrasher trojan also uses port 6970 but via TCP protocol. You don't have anything to worry about.

I might as well mention for such purposes, I use X-NetStat Professional ( www.freshsw.com/xns/pro ) to identify real threats from normal traffic .. I did write it myself :)

Drew


Printer Friendly | Permalink |  | Top
 
havocmom Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:34 PM
Response to Reply #22
25. We pulled Real Player outta the 'puter long ago it is nothing but trouble
Real Alternative does the media Real Player will bt has not caused any problems
Printer Friendly | Permalink |  | Top
 
newyawker99 Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Jun-19-05 08:08 AM
Response to Reply #22
47. Hi drfresh!!
Welcome to DU!! :toast:
Printer Friendly | Permalink |  | Top
 
jim3775 Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:33 PM
Response to Original message
24. Nothing to worry about,
Edited on Sat Jun-18-05 10:33 PM by jim3775
Real player operates over a range of ports (6970 - 7170). If the firewall has allowed only one of those ports to be accessed remotley the server may have tried to communicate with real player on another port causing your firewall to alert. The full permission will allow for that full range to be accessed.

Besides torjans don't work unless you have the "server" on your computer (meaning you are infected with a virus).
Printer Friendly | Permalink |  | Top
 
napi21 Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:38 PM
Response to Reply #24
27. So these folks were getting me all excited about nothing?
Well isan't that just great! I think I'm better than a novice, but sure no expert by any means. I do get concerned when I read this kind of stuff.

To you folks who really are Tech gurus, please don't post alarms when they really aren't. Remember the chicken and the sky is falling? All you're doing is forcing the rest of us to think all the warnings are scares.
Printer Friendly | Permalink |  | Top
 
high density Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:43 PM
Response to Reply #27
30. I'm going to guess that the OP isn't a tech guru
I kinda wish this person could have passed this by a couple computer guys before coming out with an instant conspiracy theory.
Printer Friendly | Permalink |  | Top
 
napi21 Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:50 PM
Response to Reply #30
32. Thanks. It just agrivates the common folk, ya know?
With all the credit card info infringements and personal data stuff, I think everyone is very suspect of anything. I know I trust the c-span site, but I have broadband and I know there's been a lot of info on how vulnerable that can be.

{isses me off that someone would post a problem by jumping to a conslusion without checking with someone who konws better.
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:09 PM
Response to Reply #30
40. Thanks for the DU Respect there. Not a Conspiracy Theorist.
Just giving a frienldy heads-up. Shew. Have a ncie night
Printer Friendly | Permalink |  | Top
 
dweller Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 10:50 PM
Response to Reply #27
33. update your virus defs
to be sure.

can't hurt anyway.
dp
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:04 PM
Response to Reply #33
36. Constantly... Always. Geez. I want my Freedom back!
Printer Friendly | Permalink |  | Top
 
AuntiBush Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:01 PM
Response to Original message
35. Ok: Had to FAST TRACK Get Offline - New Trace from Dallas
Edited on Sat Jun-18-05 11:03 PM by AuntiBush
Another heads-up. Nice try, Dallas!

Nothing to panic about... I just refuse to allow "them" to trace me around but moments ago while on DU tonight Sat., 11:30 a Firewall Alert came in. I got offline and traced this latest ping "it's considered an "incoming."

The Map shows this Saturday, 11:49 pm EST came from: RightBrain

Route of Incoming Unsolicitated Trace:
FROM: Dallas, TX
Routing straight-up to Baltimore
Then New York & Chicago at sametime
Then back to Dallas, TX.

Statement from Trace: "This is the route data is taking across the internet between the source (above) and your computer." The IP address has attempted an unsolicited connection to UDP port XXXX on XXX computer.

Name of Event: RightBrain

Ok... I get it now. "Right-Brain." If only they had half of one. Nice try Dallas.
Printer Friendly | Permalink |  | Top
 
THX1138 Donating Member (276 posts) Send PM | Profile | Ignore Sat Jun-18-05 11:10 PM
Response to Reply #35
41. You seem to be ignoring
the many posts pointing out that you are being alarmist and not correctly interpreting the errors your firewall is throwing at you. Thanks to the abundance of script kiddies, IP scans are nothing unusual.

Upthread you advised everyone to block the entire C-SPAN netblock. If you do that you will not be able to stream C-SPAN video:

12.170.145.128 - 12.170.145.255
NATIONAL CABLE AND SATELLITE CORP
400 N CAPITOL STREET NW
WASHINGTON, DC
US
Printer Friendly | Permalink |  | Top
 
kittenpants Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:12 PM
Response to Original message
42. None of this is anything to be worried about.
I am in computer security for a living and this is all standard internet traffic. Auntie, if you have questions or would like more information, you can PM me. Hope this calms things down a bit, now lets all get ready to take down an evil president!
Printer Friendly | Permalink |  | Top
 
helderheid Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:16 PM
Response to Original message
44. delete
Edited on Sat Jun-18-05 11:20 PM by helderheid
self delete
Printer Friendly | Permalink |  | Top
 
HeeBGBz Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:22 PM
Response to Original message
45. Why is DU trying to access my computer?
A computer at www.democraticunderground.com has attempted an unsolicited connection to TCP port 2918 on your computer.
TCP port 2918 is commonly used by the "Kasten Chase Pad" service or program.
Printer Friendly | Permalink |  | Top
 
LightningFlash Donating Member (1000+ posts) Send PM | Profile | Ignore Sat Jun-18-05 11:27 PM
Response to Original message
46. Just another right-wing crazy group....
The one in arlington virginia no less called Council of National Policy. They're a bunch of lunatics joined with PNAC. There was no way these guys got real people's addresses. Not if people here are smart *wink wink*
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Fri Mar 24th 2017, 02:02 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Archives » General Discussion (Through 2005) Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC