cyberarmy

[shanff]

I just installed Symantec Client Security 2 on my computer (no hassles, ok?).

I was looking through the logs and stuff getting acquainted with the software when i noticed some traffic to/from www.cyberarmy.com. I know I've never been there, and didn't even know what it was so I looked into it.

No webpages came up for me though searches indicated it was a hacking oriented website.

I pinged cyberarmy.com and got a normal IP address, but no replies. I ping www.cyberarmy.com (with the www) and it gives me the loopback address and replies (127.0.0.1).

I am aware that DNS entries can be modified to point to any IP address, but my question is ... How the heck does my computer know about www.cyberarmy.com?

After looking at the traffic some more, it all looks like legit localhost traffic, I just don't know why my computer is insisting on using www.cyberarmy.com instead of localhost or 127.0.0.1. Fresh computer, no virus, no adware, no hosts modifications.

Anyone with insights?

[hudsonsmith]

You apparently didn't search enough. After a bit of googling, it appear that cyberarmy is a hacker resource, including lists of proxies and netgates, how to set up false ip's, etc. Take a look at some of these: http://www.google.com/search?num=30&...army.%2Bcom%22

Suggest you block it and run hijack this to see if you've been compromised. Even a fresh computer can be compromised in a matter of minutes if online without a firewall.

[gizmo1_1]

Did you check your host files on your computer.

I believe it's lmhost.sam on winXP

[shanff]

Apparently I should have been even more clear than I was.


[/QUOTE]No webpages came up for me though searches indicated it was a hacking oriented website.[QUOTE]

Husdonsmith, as you can see from my original post, I DID search and found out what the website was, just didn't know why there was traffic.

I'm not a total 'tard when it comes to tracking this stuff down. I found out what it was eventually though. Newest updates on a few different antivirus programs and adware/malware scanners didn't find it, but I tracked it down to a .dll that was on my computer. Wasn't showing up on HijackThis, or any other scans, but was in use somehow. I ended up having to google all of the files in use that I didn't recognize (quite a few) and found the one running, kctrl32.dll was the culprit.

I do have a hardware pretty locked down, but have some ports open for usual traffic of course. I was just in the process of installing a software firewall and noticed alot of IRC traffic wanting to get out.

This all came about after FRESH install from an HP operating system disk and driver disk. There was no extra software installed and I had never even attached to the network when I first saw the traffic in the software firewall logs.

[hudsonsmith]

My apologies if I misunderstood, but glad to see you got it sorted out. Are you saying that this computer was not connected to the internet? If that's the case, I would be all over HP's @ss on this. Otherwise, I've seen studies that unprotected open ports can now be hit in 15 seconds.

[bbtech6650]

My apologies if I misunderstood, but glad to see you got it sorted out. Are you saying that this computer was not connected to the internet? If that's the case, I would be all over HP's @ss on this. Otherwise, I've seen studies that unprotected open ports can now be hit in 15 seconds.

Yeah, I second that!!!

I get many, many attempts to relay spam through my home email server. I have noticed from my logfiles, that most of the traffic originates from South Korea, and China.

They are even sending HELO and EHELO [my ip address] to try to fool my server into relaying mail.

To combat this, I use two factor authentication, aPOP, and aSMTP, and it stops all illegal activity.