Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Apps connecting to *.1337x.org

Tunerz

By Tunerz
in Security & Privacy Center

Recommended Posts

Tunerz

Tunerz

Posted
Posted

For some weird reason, Adobe Reader, SpiderOak, Firefox, and other Internet-aware apps are trying to connect what seems to be some sort of torrent trackers. I managed to find it in Online Armor logs. I'm baffled that all point to localhost address 127.0.0.1 plus some random port.

Screenshots:

ss1.png?psid=1

ss2.png?psid=1

ss3.png?psid=1ss4.png?psid=1

ss5.png?psid=1

ss6.png?psid=1

ss7.png?psid=1

Could it be some backdoor going through?

Link to comment
Share on other sites
  • Replies 9
  • Views 1.7k
  • Created
  • Last Reply
  • Administrator
DKT27

DKT27

Posted
  • Administrator
Posted

Are you using any fix for MS Office? Cause I think one of it's fixes does that, but not 100% sure. Check your Hosts file too.

Link to comment
Share on other sites
Tunerz

Tunerz

Posted
  • Author
Posted

I've been using Office 2010 Toolkit v2.2.3 from MDL for a long time now; however, it only uses KMSEmulator.exe and port 1688.

Also, this is the contents of my host file

127.0.0.1 activate.adobe.com

207.46.170.123 youporn.com #points to microsoft.com

207.46.170.123 www.youporn.com #points to microsoft.com

66.220.146.11 www.facebook.com

66.220.146.11 facebook.com

66.220.146.11 www.puntakadito.com

66.220.146.11 puntakadito.com

207.46.170.123 fhm.com.ph #points to microsoft.com

207.46.170.123 www.fhm.com.ph #points to microsoft.com

207.46.170.123 www.fhm.com #points to microsoft.com

#80.168.48.103 formula1.com

#80.168.48.103 www.formula1.com

Additionally, this is one of the prompts I got from Online Armor

ss8.png?psid=1

Link to comment
Share on other sites
Atasas

Atasas

Posted
Posted

Clearly its some sort of malware> Just run MBAM and some CCleaner or else- such connections dont appear to be as what they are.

Link to comment
Share on other sites
Tunerz

Tunerz

Posted
  • Author
Posted

I also posted this in Emsisoft forums to see if they would also know this issue. Anyway, I'm currently backing up most files, steam games, drivers, and installers. Afterwards, I'll resume MBAM's scanning. If ever it didn't find anything, I'll finally do my very first reformat for my lappy.

Link to comment
Share on other sites
kmr1684

kmr1684

Posted
Posted

sorry to dissappointing you buddy but check twice or thrice of your device driver back up before backing up, becoz nowadays nasties can infect the pc any way thsy want so check it before back up thats it bye bye bye :P

Link to comment
Share on other sites
Kojootti

Kojootti

Posted
Posted

I also posted this in Emsisoft forums to see if they would also know this issue. Anyway, I'm currently backing up most files, steam games, drivers, and installers. Afterwards, I'll resume MBAM's scanning. If ever it didn't find anything, I'll finally do my very first reformat for my lappy.

I checked the site, and gotta say.. pretty f*n lame behaviour of an torrent site to plant some malware on their site.

You obviously have mistakenly clicked here:

post-20025-0-92540900-1325887565_thumb.j

If you do so,it won't be the .torrent download,but instead it will add infront of the .torrent url:

"http://www.1clickdownloader.com/download/product_download.php?fileName=http://1337x.org/download/xxxxxx/"

and then starts to download some downloadersetup.exe on your machine.

On my VM,I didn't even open the file,and then Online Armor starts to give me the same alerts as you got.

If you must use that site,don't click on that area but instead click on "Torrent Download" (see picture below)

post-20025-0-41963000-1325887821_thumb.j

Link to comment
Share on other sites
Tunerz

Tunerz

Posted
  • Author
Posted

sorry to dissappointing you buddy but check twice or thrice of your device driver back up before backing up, becoz nowadays nasties can infect the pc any way thsy want so check it before back up thats it bye bye bye :P

I just backed up driver installers, to ensure their integrity.

207.46.170.123 youporn.com #points to microsoft.com

:D:D

I'll probably add more sites, so I can surprise porn surfers on me lappy being redirected to Microsoft.

I checked the site, and gotta say.. pretty f*n lame behaviour of an torrent site to plant some malware on their site.

You obviously have mistakenly clicked here:

post-20025-0-92540900-1325887565_thumb.j

If you do so,it won't be the .torrent download,but instead it will add infront of the .torrent url:

"http://www.1clickdownloader.com/download/product_download.php?fileName=http://1337x.org/download/xxxxxx/"

and then starts to download some downloadersetup.exe on your machine.

On my VM,I didn't even open the file,and then Online Armor starts to give me the same alerts as you got.

If you must use that site,don't click on that area but instead click on "Torrent Download" (see picture below)

post-20025-0-41963000-1325887821_thumb.j

I'll probably blacklist the site, and do the steps on a VM environment. I'm quite happy you managed to replicate to situation and find the solution. :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...