Recovery from total hack

  • Thread starter Thread starter Rob
  • Start date Start date
R

Rob

My system: Win2K, kept completely updated always. Running
NAV Corp ed 7.51 and an older version of Zonealarm [I dont
like the new version], on a peer to peer Win2K home
network behind a Linksys router on cable internet. I was
testing the firewall a few weeks ago. Ran tests with the
firewall down, and with the CPU in question in the DMZ of
the router, to compare results. Kid falls off swingset,
breaks leg, I run off and FORGOT to take the PC out of the
DMZ and turn on the firewall! It was this way for a few
weeks. In the second week, I get three viruses caught and
isolated by Norton, all three having in common that they
attempt to spread via network shares, so I suspect my
son's machine, but find nothing there. Then I observe one
morning independant mouse movement while I'm reading
email, 6am. Sure enough, Dameware mini remote is running,
plainly visable in the task tray. I disable the net card,
forcibly rip out the dameware [after looking to see when
it was installed]. I see I have dameware entries in the
system log only since last night at 2am or so. This
matches creation dates from the dameware directory and
mailer installed in system32. Also present is a stand-
alone SMTP mailer which has apparently been sending spam
using my computer - i can provide detail if needed - a
company from germany advertising anti-spam software [in
german][ironic]. I ad-aware and virus check all 4
computers in the house completely with negative results,
change all usernames and pw's on all 4 computers on the
home network, reinstalled norton AV on all computers,
checked for added users [none], re-installed zonealarm and
with reset config settings on all computers in the house.
I put the comprimised machine back on the network, still
in the DMZ, with the firewall up. I'm getting tons of
hits from Germany on port 445. Hmmm. Took my system back
out of the DMZ. All seems to be normal with no hits on
the firewalls either in or out.
Questions:
1. How did they get in without tripping the anti-virus?
Is there still a trojan of some sort hiding in there?
2. Should I format my system? Why?
3. How concerned should I be about ID theft since they
owned my system, possibly for a week? I've been watching
all credit and bank accounts very closely, nothing
suspicious yet.
4. Repeat of No. 1: How the heck did they get in in the
first place?

Any good advice would be appreciated...

Sheepish MCSE...
..
 
Hi Rob,

Some answers and my views...

1) You said you saw Dameware in your PC. I guess they guessed one of your
passwords and installed it. If they had your admin password then they could
also stop your antivirus... Dameware is a legit program (and very nice one
:-) ...) so antivirus didn't react to it either.

2) I wouldn't :-), but I like challenges :-). Seriously I think you have
done everything you could to clean out your PCs. If you are serious about
format then you would have to format all 4 PCs at the same time. None of
them should be up while you format the other or you have done nothing. If
you are afraid that you still have something on your PC that hackers might
have left and you format one PC at the time your now clean PC would get
infected from the other three that are not yet formatted :-)
What I would do is make really sure I change ALL the passwords on all the
users. If possible change the usernames as well and turn on logging. The
second thing I would do is recheck what kind of traffic is allowed to the
internet. I would close down everything that is not necessary. (Do you allow
TFTP out on the internet from your PC? Why? Do you need it?) :-) ... Close
down all ports that you don't need. Monitor outgoing traffic.
Check your guest accounts. They should be disabled. Check if IIS and FTP is
running and it shouldn't...

3. Hard to tell. Keep an eye on your bank accounts.
4. Look at #1

--
Mike
MCSA 2K, MCSE 2K, MCT, ...

Rob said:
My system: Win2K, kept completely updated always. Running
NAV Corp ed 7.51 and an older version of Zonealarm [I dont
like the new version], on a peer to peer Win2K home
network behind a Linksys router on cable internet. I was
testing the firewall a few weeks ago. Ran tests with the
firewall down, and with the CPU in question in the DMZ of
the router, to compare results. Kid falls off swingset,
breaks leg, I run off and FORGOT to take the PC out of the
DMZ and turn on the firewall! It was this way for a few
weeks. In the second week, I get three viruses caught and
isolated by Norton, all three having in common that they
attempt to spread via network shares, so I suspect my
son's machine, but find nothing there. Then I observe one
morning independant mouse movement while I'm reading
email, 6am. Sure enough, Dameware mini remote is running,
plainly visable in the task tray. I disable the net card,
forcibly rip out the dameware [after looking to see when
it was installed]. I see I have dameware entries in the
system log only since last night at 2am or so. This
matches creation dates from the dameware directory and
mailer installed in system32. Also present is a stand-
alone SMTP mailer which has apparently been sending spam
using my computer - i can provide detail if needed - a
company from germany advertising anti-spam software [in
german][ironic]. I ad-aware and virus check all 4
computers in the house completely with negative results,
change all usernames and pw's on all 4 computers on the
home network, reinstalled norton AV on all computers,
checked for added users [none], re-installed zonealarm and
with reset config settings on all computers in the house.
I put the comprimised machine back on the network, still
in the DMZ, with the firewall up. I'm getting tons of
hits from Germany on port 445. Hmmm. Took my system back
out of the DMZ. All seems to be normal with no hits on
the firewalls either in or out.
Questions:
1. How did they get in without tripping the anti-virus?
Is there still a trojan of some sort hiding in there?
2. Should I format my system? Why?
3. How concerned should I be about ID theft since they
owned my system, possibly for a week? I've been watching
all credit and bank accounts very closely, nothing
suspicious yet.
4. Repeat of No. 1: How the heck did they get in in the
first place?

Any good advice would be appreciated...

Sheepish MCSE...
.
 
Thanks for the advice!
I have changed all users, all passwords, reinstalled
Norton and the firewalls, and made sure the firewalls had
new settings ie no 'remembered' programs from the previous
installation.
BTW, the admin pw on all machines was very weak, guess I
need to practice at home what I preach at work.
I guess what I'm worried about is that some executable
they left is phoning home thru the firewall [think...
keystroke logger] using an allowed program, such as the
services and controller app. I think I'll put everything
on watch for a bit , pain in the butt, but I can see
when/why/where they are trying to communicate with that
way.
-----Original Message-----
Hi Rob,

Some answers and my views...

1) You said you saw Dameware in your PC. I guess they guessed one of your
passwords and installed it. If they had your admin password then they could
also stop your antivirus... Dameware is a legit program (and very nice one
:-) ...) so antivirus didn't react to it either.

2) I wouldn't :-), but I like challenges :-). Seriously I think you have
done everything you could to clean out your PCs. If you are serious about
format then you would have to format all 4 PCs at the same time. None of
them should be up while you format the other or you have done nothing. If
you are afraid that you still have something on your PC that hackers might
have left and you format one PC at the time your now clean PC would get
infected from the other three that are not yet formatted :-)
What I would do is make really sure I change ALL the passwords on all the
users. If possible change the usernames as well and turn on logging. The
second thing I would do is recheck what kind of traffic is allowed to the
internet. I would close down everything that is not necessary. (Do you allow
TFTP out on the internet from your PC? Why? Do you need it?) :-) ... Close
down all ports that you don't need. Monitor outgoing traffic.
Check your guest accounts. They should be disabled. Check if IIS and FTP is
running and it shouldn't...

3. Hard to tell. Keep an eye on your bank accounts.
4. Look at #1

--
Mike
MCSA 2K, MCSE 2K, MCT, ...

Rob said:
My system: Win2K, kept completely updated always. Running
NAV Corp ed 7.51 and an older version of Zonealarm [I dont
like the new version], on a peer to peer Win2K home
network behind a Linksys router on cable internet. I was
testing the firewall a few weeks ago. Ran tests with the
firewall down, and with the CPU in question in the DMZ of
the router, to compare results. Kid falls off swingset,
breaks leg, I run off and FORGOT to take the PC out of the
DMZ and turn on the firewall! It was this way for a few
weeks. In the second week, I get three viruses caught and
isolated by Norton, all three having in common that they
attempt to spread via network shares, so I suspect my
son's machine, but find nothing there. Then I observe one
morning independant mouse movement while I'm reading
email, 6am. Sure enough, Dameware mini remote is running,
plainly visable in the task tray. I disable the net card,
forcibly rip out the dameware [after looking to see when
it was installed]. I see I have dameware entries in the
system log only since last night at 2am or so. This
matches creation dates from the dameware directory and
mailer installed in system32. Also present is a stand-
alone SMTP mailer which has apparently been sending spam
using my computer - i can provide detail if needed - a
company from germany advertising anti-spam software [in
german][ironic]. I ad-aware and virus check all 4
computers in the house completely with negative results,
change all usernames and pw's on all 4 computers on the
home network, reinstalled norton AV on all computers,
checked for added users [none], re-installed zonealarm and
with reset config settings on all computers in the house.
I put the comprimised machine back on the network, still
in the DMZ, with the firewall up. I'm getting tons of
hits from Germany on port 445. Hmmm. Took my system back
out of the DMZ. All seems to be normal with no hits on
the firewalls either in or out.
Questions:
1. How did they get in without tripping the anti-virus?
Is there still a trojan of some sort hiding in there?
2. Should I format my system? Why?
3. How concerned should I be about ID theft since they
owned my system, possibly for a week? I've been watching
all credit and bank accounts very closely, nothing
suspicious yet.
4. Repeat of No. 1: How the heck did they get in in the
first place?

Any good advice would be appreciated...

Sheepish MCSE...
.


.
 
Hi Rob,

Personally I like to Create new User and give him User name e.g. "Jack" with
full admin permissions and then disable Administrator Account. This will
prevent anyone from knowing in advance who my admin is. I is not much but it
is something. Then you can monitor failed logon attempts and see if anyone
is trying to use administrator account.
Well of course passwords should be strong :-) ...

Often on my PCs my user account is the only admin (Not on servers! On my
desktops, laptops, etc...). I know this can be "dangerous" but I export my
EFS keys and store them in safe location. Anything else is a matter of
taking ownership if files in worse case scenario... I guess I could lose one
day work by having to reinstall my laptop ... :-)

About phoning home. That's the reason why I am telling you to check and
close on unnecessary outgoing connections. Allow only outbound to mail
services, DNS, web, and other service that you _need_. Deny everything
else...

Mike

Rob said:
Thanks for the advice!
I have changed all users, all passwords, reinstalled
Norton and the firewalls, and made sure the firewalls had
new settings ie no 'remembered' programs from the previous
installation.
BTW, the admin pw on all machines was very weak, guess I
need to practice at home what I preach at work.
I guess what I'm worried about is that some executable
they left is phoning home thru the firewall [think...
keystroke logger] using an allowed program, such as the
services and controller app. I think I'll put everything
on watch for a bit , pain in the butt, but I can see
when/why/where they are trying to communicate with that
way.
-----Original Message-----
Hi Rob,

Some answers and my views...

1) You said you saw Dameware in your PC. I guess they guessed one of your
passwords and installed it. If they had your admin password then they could
also stop your antivirus... Dameware is a legit program (and very nice one
:-) ...) so antivirus didn't react to it either.

2) I wouldn't :-), but I like challenges :-). Seriously I think you have
done everything you could to clean out your PCs. If you are serious about
format then you would have to format all 4 PCs at the same time. None of
them should be up while you format the other or you have done nothing. If
you are afraid that you still have something on your PC that hackers might
have left and you format one PC at the time your now clean PC would get
infected from the other three that are not yet formatted :-)
What I would do is make really sure I change ALL the passwords on all the
users. If possible change the usernames as well and turn on logging. The
second thing I would do is recheck what kind of traffic is allowed to the
internet. I would close down everything that is not necessary. (Do you allow
TFTP out on the internet from your PC? Why? Do you need it?) :-) ... Close
down all ports that you don't need. Monitor outgoing traffic.
Check your guest accounts. They should be disabled. Check if IIS and FTP is
running and it shouldn't...

3. Hard to tell. Keep an eye on your bank accounts.
4. Look at #1

--
Mike
MCSA 2K, MCSE 2K, MCT, ...

Rob said:
My system: Win2K, kept completely updated always. Running
NAV Corp ed 7.51 and an older version of Zonealarm [I dont
like the new version], on a peer to peer Win2K home
network behind a Linksys router on cable internet. I was
testing the firewall a few weeks ago. Ran tests with the
firewall down, and with the CPU in question in the DMZ of
the router, to compare results. Kid falls off swingset,
breaks leg, I run off and FORGOT to take the PC out of the
DMZ and turn on the firewall! It was this way for a few
weeks. In the second week, I get three viruses caught and
isolated by Norton, all three having in common that they
attempt to spread via network shares, so I suspect my
son's machine, but find nothing there. Then I observe one
morning independant mouse movement while I'm reading
email, 6am. Sure enough, Dameware mini remote is running,
plainly visable in the task tray. I disable the net card,
forcibly rip out the dameware [after looking to see when
it was installed]. I see I have dameware entries in the
system log only since last night at 2am or so. This
matches creation dates from the dameware directory and
mailer installed in system32. Also present is a stand-
alone SMTP mailer which has apparently been sending spam
using my computer - i can provide detail if needed - a
company from germany advertising anti-spam software [in
german][ironic]. I ad-aware and virus check all 4
computers in the house completely with negative results,
change all usernames and pw's on all 4 computers on the
home network, reinstalled norton AV on all computers,
checked for added users [none], re-installed zonealarm and
with reset config settings on all computers in the house.
I put the comprimised machine back on the network, still
in the DMZ, with the firewall up. I'm getting tons of
hits from Germany on port 445. Hmmm. Took my system back
out of the DMZ. All seems to be normal with no hits on
the firewalls either in or out.
Questions:
1. How did they get in without tripping the anti-virus?
Is there still a trojan of some sort hiding in there?
2. Should I format my system? Why?
3. How concerned should I be about ID theft since they
owned my system, possibly for a week? I've been watching
all credit and bank accounts very closely, nothing
suspicious yet.
4. Repeat of No. 1: How the heck did they get in in the
first place?

Any good advice would be appreciated...

Sheepish MCSE...
.


.
 
My system: Win2K, kept completely updated always. Running
NAV Corp ed 7.51 and an older version of Zonealarm [I dont
like the new version], on a peer to peer Win2K home
network behind a Linksys router on cable internet. I was
testing the firewall a few weeks ago. Ran tests with the
firewall down, and with the CPU in question in the DMZ of
the router, to compare results. Kid falls off swingset,
breaks leg, I run off and FORGOT to take the PC out of the
DMZ and turn on the firewall! It was this way for a few
weeks. In the second week, I get three viruses caught and
isolated by Norton, all three having in common that they
attempt to spread via network shares, so I suspect my
son's machine, but find nothing there. Then I observe one
morning independant mouse movement while I'm reading
email, 6am. Sure enough, Dameware mini remote is running,
plainly visable in the task tray. I disable the net card,
forcibly rip out the dameware [after looking to see when
it was installed]. I see I have dameware entries in the
system log only since last night at 2am or so. This
matches creation dates from the dameware directory and
mailer installed in system32. Also present is a stand-
alone SMTP mailer which has apparently been sending spam
using my computer - i can provide detail if needed - a
company from germany advertising anti-spam software [in
german][ironic]. I ad-aware and virus check all 4
computers in the house completely with negative results,
change all usernames and pw's on all 4 computers on the
home network, reinstalled norton AV on all computers,
checked for added users [none], re-installed zonealarm and
with reset config settings on all computers in the house.
I put the comprimised machine back on the network, still
in the DMZ, with the firewall up. I'm getting tons of
hits from Germany on port 445. Hmmm. Took my system back
out of the DMZ. All seems to be normal with no hits on
the firewalls either in or out.
Questions:
1. How did they get in without tripping the anti-virus?

It wasn't a virus.
Is there still a trojan of some sort hiding in there?

How should we know? How would you know?
2. Should I format my system? Why?

Yes. Because you had to ask the question above.
3. How concerned should I be about ID theft since they
owned my system, possibly for a week? I've been watching
all credit and bank accounts very closely, nothing
suspicious yet.

Probably unlikely. You should always be concerned, but that probably
wasn't what they were after.
4. Repeat of No. 1: How the heck did they get in in the
first place?

Repeat of answer 1: How should we know? Maybe a trojan delivered in
an email, or an embedded link you launched unwittingly. Without
firewall logs, as well as auditing logs from your system, it's tough
to tell much further. If you'd like us to perform a forensic
analysis, just post your credit card info... :)
Any good advice would be appreciated...

Wipe. Reinstall. Pay better attention to security this time around.
Sheepish MCSE...

Most good security admins got that way by figuring out how to fix the
security they screwed up. Welcome to the first step. :)

Jeff
 
Back
Top