R
Rob
My system: Win2K, kept completely updated always. Running
NAV Corp ed 7.51 and an older version of Zonealarm [I dont
like the new version], on a peer to peer Win2K home
network behind a Linksys router on cable internet. I was
testing the firewall a few weeks ago. Ran tests with the
firewall down, and with the CPU in question in the DMZ of
the router, to compare results. Kid falls off swingset,
breaks leg, I run off and FORGOT to take the PC out of the
DMZ and turn on the firewall! It was this way for a few
weeks. In the second week, I get three viruses caught and
isolated by Norton, all three having in common that they
attempt to spread via network shares, so I suspect my
son's machine, but find nothing there. Then I observe one
morning independant mouse movement while I'm reading
email, 6am. Sure enough, Dameware mini remote is running,
plainly visable in the task tray. I disable the net card,
forcibly rip out the dameware [after looking to see when
it was installed]. I see I have dameware entries in the
system log only since last night at 2am or so. This
matches creation dates from the dameware directory and
mailer installed in system32. Also present is a stand-
alone SMTP mailer which has apparently been sending spam
using my computer - i can provide detail if needed - a
company from germany advertising anti-spam software [in
german][ironic]. I ad-aware and virus check all 4
computers in the house completely with negative results,
change all usernames and pw's on all 4 computers on the
home network, reinstalled norton AV on all computers,
checked for added users [none], re-installed zonealarm and
with reset config settings on all computers in the house.
I put the comprimised machine back on the network, still
in the DMZ, with the firewall up. I'm getting tons of
hits from Germany on port 445. Hmmm. Took my system back
out of the DMZ. All seems to be normal with no hits on
the firewalls either in or out.
Questions:
1. How did they get in without tripping the anti-virus?
Is there still a trojan of some sort hiding in there?
2. Should I format my system? Why?
3. How concerned should I be about ID theft since they
owned my system, possibly for a week? I've been watching
all credit and bank accounts very closely, nothing
suspicious yet.
4. Repeat of No. 1: How the heck did they get in in the
first place?
Any good advice would be appreciated...
Sheepish MCSE...
..
NAV Corp ed 7.51 and an older version of Zonealarm [I dont
like the new version], on a peer to peer Win2K home
network behind a Linksys router on cable internet. I was
testing the firewall a few weeks ago. Ran tests with the
firewall down, and with the CPU in question in the DMZ of
the router, to compare results. Kid falls off swingset,
breaks leg, I run off and FORGOT to take the PC out of the
DMZ and turn on the firewall! It was this way for a few
weeks. In the second week, I get three viruses caught and
isolated by Norton, all three having in common that they
attempt to spread via network shares, so I suspect my
son's machine, but find nothing there. Then I observe one
morning independant mouse movement while I'm reading
email, 6am. Sure enough, Dameware mini remote is running,
plainly visable in the task tray. I disable the net card,
forcibly rip out the dameware [after looking to see when
it was installed]. I see I have dameware entries in the
system log only since last night at 2am or so. This
matches creation dates from the dameware directory and
mailer installed in system32. Also present is a stand-
alone SMTP mailer which has apparently been sending spam
using my computer - i can provide detail if needed - a
company from germany advertising anti-spam software [in
german][ironic]. I ad-aware and virus check all 4
computers in the house completely with negative results,
change all usernames and pw's on all 4 computers on the
home network, reinstalled norton AV on all computers,
checked for added users [none], re-installed zonealarm and
with reset config settings on all computers in the house.
I put the comprimised machine back on the network, still
in the DMZ, with the firewall up. I'm getting tons of
hits from Germany on port 445. Hmmm. Took my system back
out of the DMZ. All seems to be normal with no hits on
the firewalls either in or out.
Questions:
1. How did they get in without tripping the anti-virus?
Is there still a trojan of some sort hiding in there?
2. Should I format my system? Why?
3. How concerned should I be about ID theft since they
owned my system, possibly for a week? I've been watching
all credit and bank accounts very closely, nothing
suspicious yet.
4. Repeat of No. 1: How the heck did they get in in the
first place?
Any good advice would be appreciated...
Sheepish MCSE...
..