FRIHOST • FORUMS • SEARCH • FAQ • TOS • BLOGS • COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


How to tell if something is stealing a password





Srs2388
I downloaded something that takes the login on this game... and auto deposits the money you make..
it isn't cheating though.. just keeping your money..
but off that subject...
im suspicious that it could steal my password.
How can i tell what the program is doing?
how can i tell if it's stealing a password?
Srs2388
i scanned it and it didn't detect anything but password sealers are hard to find..
what about packet sniffing?
how do i do that?
Arnie
Wireshark, formerly Ethereal

But if you already used it, why still check? You'll find out the hard way.
MrBlueSky
Arnie wrote:
Wireshark, formerly Ethereal


Indeed. Altough if you don't find it sending anything, you can't be sure you are safe. Maybe it only sends periodically, or saves the password to a file to send it later.

Anyway, change your password.
Srs2388
I used it... then changed my password
Srs2388
I got it to work.. but there are so many things there it would be like a million characters..
Can I make it focus on one program?


here is the .pcap file.. I have no clue what im looking at here

http://www.megaupload.com/?d=79G98E8I
MrBlueSky
There is only traffic to the following hosts in that file:

Code:

HOST: py-in-f101.google.com
DATA SEND: "POST /safebrow9,921,924,926,2640-2644,26474222-4224,42264913,4917-49182002-2009,2011082,13085,13085,15310,15316,16429-16438,1617586-17595,17135-19148,19157495,7503,7509516-8517,8522-238,10242-10246-11117,11121,5,11808-11809,12797-12798,12530,13532,1353160,14162,14166-15035,15038-15709,15712-1516372,16374-16"
REPLY: "HTTP/1.1 200 O"

HOST: 216.178.38.52
DATA SEND: "GET /proxy/relIcmSRtTKMu67ZZ"
REPLY: "HTTP/1.1 200 O"

HOST: 216.178.32.25
DATA SEND: "GET http://secdUQ9r3tfQCc9pN"
REPLY: "HTTP/1.1 200 Ojournals blogg { font-size:1age = 'none';
ght)/2)+"px";t type="text" v<li><a href="h"http://messagdex.cfm?fuseacom/">CelebrityMENT" id="__EV=2f236709-0f9e</A> | <A clasclass=\"text\""

HOST: ns1.meetlocal.com
DATA SEND: "GET /update.ph"
REPLY: "HTTP/1.1 200 O"

HOST: 74.125.12.34
DATA SEND: GET /safebrows
REPLY: HTTP/1.1 200 O.b.......,....
DATA SEND: "GET /safebrows
REPLY: HTTP/1.1 200 O
DATA SEND: "GET /safebrows
REPLY: HTTP/1.1 200 O

216.178.38.133
DATA SEND: "GET /index.cfmwD8luGTUCdhZuY"
REPLY: "HTTP/1.1 200 Oor has occurree" />
<scriptinline}
   
l.AddEvent(winist" onmouseovmall></a></li>pace.com/indexction=bulletinli><li><a href="text/javascrt"></script>
;"></div>
...\"" + uHref + float: left;  id="lastLogin""viewSmall">&#/ul>

...
.="16" src="htt                            </div>    .
 (l = 0; l < 4; = "js";
var gssName.replacer_ctl00_friend99888365&MyTok0_cpMain_Movea_ctl06_friendIom/images01/25""></a><br>
......</div>
.4_OLNClient_On.cfm?fuseactioeOpen opaque" MySpace.UI && d>
...       eContainer_ctlontainer_ctl01d4046bf-493b-4js"></script>
MoveableContai>
...        -493b-44ac-b79mafia</a></td>        <td st..            javascript">
              an>           /a></span>
...com/index.cfmpacer.gif" rowt=_blank><U>Co. All Rights R"><A id=Link h\" border=0><BT: left; VERTIe alt=\"\" src"

216.178.38.129
DATA SEND: "GET / HTTP/1.1"
REPLY: "HTTP/1.1 200 O<!DOCTYPE htmlMySpace = {};
       
...}iv.artistRank ist li a img { {"UserId":-1,ION: NONE" oncySpace</a></liggle('0',true), 'scale');
m,"http://www.mading" button  .....
      ="hidden" id="....<p>
     ctTab('blogs')8" title="Akon.cfm?fuseactioss="artistRank9f7b74c42e4bd.t/javascript">e.ClientContex:68%"><div></dtion=vids.indi2Handler() { slick="fader('0i].line1 + '</             <U></A> | <A cl" class=\"textarts", new Arr"

No data send to the following hosts:
yw-in-f127.google.com
ALL-SYSTEMS.MCAST.NET
239.255.255.250
224.0.0.251




Nothing looks suspicious. My guess is you are behind a netfilter and you use a proxy to bypass it. I assume you had your browser open during the capture?
(The last character is missing in each request and reply. I don't know why, maybe because you took the capture on windows and I am looking at it on Linux)
Arnie
Found any interesting other traffic in that file, MrBlueSky? Wink
MrBlueSky
Arnie wrote:
Found any interesting other traffic in that file, MrBlueSky? Wink


Just some credit card numbers. Wink
Srs2388
holy shit!
you found credit card numbers on what i sent?
please don't use them... please please.

EDIT: did you really find them though? my credit card?
ocalhoun
Srs2388 wrote:
I downloaded something that takes the login on this game... and auto deposits the money you make..
it isn't cheating though.. just keeping your money..
but off that subject...
im suspicious that it could steal my password.
How can i tell what the program is doing?
how can i tell if it's stealing a password?


Using a packet sniffer and looking through the data to try and find your password is one way. This will tell you if it is sending it over the network unencrypted, which leaves it vulnerable to being stolen.

Also, you could try a good anti-spyware/anti-malware scanner. If the log in utility you downloaded is a known security threat, they should pick it up and tell you about it.
MrBlueSky
Srs2388 wrote:
holy shit!
you found credit card numbers on what i sent?
please don't use them... please please.

EDIT: did you really find them though? my credit card?


No no, I was just kidding. There was nothing personal in your file. I'm sorry, I didn't want to scare you. Embarassed
Arnie
We were just trying to point out that it's generally not a good idea to put your PCAP file up for public download, unless you're sure there are no passwords or other sensitive data inside. (Sorry for the late post but I felt this was worth stressing.)
Da Rossa
You should use a packet sniffer. I'm not familiar with them, they're quite obscure, but not too difficult. Also, some keyloggers tend to slow down the typing process and not to recognize some characters. For example: if you press ~ it might convert to ΄on the fly. Not a general rule, just a testimony.
Arnie
Had you read the thread above, you would probably have noticed that MrBlueSky and I analysed his sniffed packets file.
Da Rossa
Arnie wrote:
Had you read the thread above, you would probably have noticed that MrBlueSky and I analysed his sniffed packets file.


No, I only read the initial post...
Subaru
Two ways for this
1) Spying packets up/down on internet at Your home (what is sending and downloading)
2) Go through whole program to find what he is doing Laughing hard one but still possible

You can try also running it in offline mode maybe it will give You some errors that it couldn't connect or something Cool
Related topics
help!i am in trouble!
htaccess Password Protection
*OFFICIAL* Which Browser do you use?
password problem
How To : Secure Your PHP Website
mySQL application install password problem in JSAS
Password thing is realy annoying me(htaccess)
Password protect pages with phpbb
Is there any way to recover the forgoten PASSWORD!
pdf password extracter
Using Neighbor's Wireless Link: Probation
Password change
Could you tell me why?
Change password and forgot password script
Reply to topic    Frihost Forum Index -> Computers -> Software

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.