Member Panel

river_dance

Hi All,

Recently I've discovered the following javascript inserted into all the webpages saved.
"<script language='javascript' src='http://127.0.0.1:1028/js.cgi?pca&r=26500'></script>"

I have tried running Adaware, Spyweeper, Counterspy and CCleaner from Safe Mode but none of the programs detected anything.
This script appeared in the source code of all the web pages I've saved after 05 December, 2005 whether I am using IE, Opera or Firefox.

Attached is my Hijackthis log.

Please Help & Thanks in advance.

joe5

Hi there River_Dance , welcome to PCHF.

Sorry for the late response , somehow i missed youre post.

But you have used an very old version of HJT , can you download the latest and post a log from that please? See below for a link.

bdude

According to this:

Name:

-none-

Purpose:

-none-

Description:

Microsoft operating systems tend to allocate one or more unsuspected, publicly exposed services (probably DCOM, but who knows) among the first handful of ports immediately above the end of the service port range (1024+).

Related Ports:

1024, 1025, 1026, 1027, 1029, 1030

Background and Additional Information:

The most distressing aspect of this, is that these service ports are wide open to the external Internet. If Microsoft wants to allow DCOM services and clients operating within a single machine to inter-operate, that's fine. But in that case the DCOM service ports should be "locally bound" so that they are not wide open and flapping in the Internet breeze. This is trivial to do, but Microsoft doesn't bother. Or, if there might be some reason to have DCOM used within a local area network, DCOM traffic could be generated with packets having their TTL (time to live) set down to one or two. This would allow DCOM packets complete local freedom, but they would expire immediately after crossing one or two router hops. The point is, there are many things Microsoft could easily do if they had any true concern for, or understanding of, Internet security. Who knows what known or unknown, discovered or yet to be discovered vulnerabilities already exist those exposed servers and services? This is PRECISELY the situation which hit end users who didn't realize they were running a personal version of Microsoft's IIS web server when the Code Red and Nimda worms hit them and installed backdoor Trojans in their systems. And it's IDENTICAL to the situation when the SQL Slammer worm ripped across the Internet and tens of thousands of innocent end users discovered, to their total surprise, that some other software (Here's an off-site link to SQL-installing applications.) had silently installed Microsoft's insecure and now exploited SQL server into their machines, and that server had silently opened their ports 1433 and 1434 to the entire Internet.
If you are reading this page because our port analysis has revealed that you have open ports lying between 1024 and 1030, it would certainly be in your best interests to configure your personal firewall to block incoming connection requests (TCP SYN packets) to those low-numbered ports.
Unfortunately, since Windows initially initiates outgoing connections from this same low-numbered port range (as the first ports it uses immediately after booting), you may need to be careful with the configuration of your firewall rules. Otherwise you may find that the first several outbound connection attempts made by Windows will fail because returning traffic has been blocked at your firewall. However, any good stateful personal firewall, such as Zone Alarm and probably others, ought to block these low-numbered ports automatically. And, of course, placing any network behind a NAT router provides extremely good hardware firewall protection for your system(s).
Trojan Sightings: ICKiller

1028 is a common spyware port

river_dance · 04:16 PM

Hi guys,

Here is my new Hijackthis log. Can u explain it in plain English? I am still a computer novice.

Thanks

joe5

Looks clean to me , i would update windows though.

I dont know what that script is but since 127.0.0.1 is a loopback to youre own machine i presume its harmless.

Did you maybe install new software around 5 dec?

river_dance

Hi Joe5,

Well, at least now I know there is nothing malicious in my pc. BTW anyway to remove that sript, I did install several programs in Dec. but do not know which one is causing the problem.

Thanks anyway

joe5 · 08:13 PM

I think its ZoneAlarm that putts that code there , did you install that around 5 dec?

EDIT , yup its Zonealarm's ad blocking:

When good intentions go bad.... the Zone Alarm js.cgi code occurs when the PRIVACY / AD BLOCKING setting is set to HIGH [ver. 6.0.667.000]. Setting it to MEDIUM removes the problem. With this setting, Zone Alarm encapsulted images that I embedded in web pages containing hyperlinks with the code shown below (which EXCLUDES image references). Notice that just the hyperlinks are present. When I removed the hyperlinks, Zone Alarm let the image code come through. This was a very frustrating problem to resolve. (My MACS worked just fine of course because no Zone Alarm; also Virtual PC on my MAC worked fine because I don't have Zone Alarm installed.) I only discovered the js.cgi code after comparing browser source code on two different machines. One displayed the js.cgi code and the other (earlier version of ZA) didn't: it showed both images and hyperlinks just fine. A Goggle search turned up http://www.computerforum.com noting a ZA problem. http://www.frontpagewebmaster.com/micons/image.aspx/m16.gif

Code:

ZONE ALARM JS.CGI CODE (when hyperlinks are included in image).... 

<html> 
<head> 
<**** **********="Content-Type" content="text/html; charset=windows-1252"> 
<title>test_link</title> 
<script language='javascript' src='http://127.0.0.1:1048/js.cgi?pca&r=503'></script> 
</head> 
<body> 
<p><a target="_blank" href="http://www.galleyware.com"> 
</a></p> 
<p><a target="_blank" href="http://www.galleyware.com"> 
</a></p> 
</body> 
</html> 

<script language='javascript'>postamble();</script>