BEEN HACKED!

[bfour]

The wifes computer got hacked this afternoon, started acting real flaky when I called and told her to do the daily flush, after 2 hours of work, found this INI file:

[parameters]
id=bymer@ukrpost.net

[misc]
project-priority=OGR,RC5:0,CSC:0,DES:0

[rc5]
fetch-workunit-threshold=64

[ogr]
fetch-workunit-threshold=16

[triggers]
restart-on-config-file-change=yes

On a bigger note, we DO NOT do OGR, only RC5, plus it is all on the network, so only a shortcut is on the machine normally! Can we send this to DNET?

 

[dawks]

Please do

 

[danzigrules]

him again!!!

he has been doing this for a while

 

[Ken g6]

Looks familiar. Same guy, different e-mail. DNet knows, I think.

 

[bfour]

He has done more damage to the system than just that, disabled most of the software, Office 2k, Norton 2k, quickbooks....... system will not even come up on the network, cannot take the changes out of windows, looks like I'll have to dump it and reload it all AGAIN!

 

[bfour]

BTW who at DNET do we contact?

 

[Ken g6]

Try Bovine's WormFree. If that doesn't do the entire trick, D.Net probably doesn't know about this variant, and you probably should inform them (Edit: Bovine seems to be in charge of this problem.)

See also Shields Up! to help prevent this from happening again.

Edit: secure link.

 

[bfour]

Ken check your link on shields up!

 

[RaySun2Be]

Bummer about being hacked. :|

Any idea how the PC got infected? was it an email attachment, a website, etc.?

Knowing what it uses as the "Trojan Horse" we can spread the word to watch out for it.

 

[bfour]

Looks like he came in through file and print sharing (NetBIOS) a straight hack, but I need file and print sharing on the network, will have to put ZoneAlarn back into all the machines

 

[bfour]

We also lost her motherboard and processor, Abit KA7 and Athlon 950! Not been a real good week!

 

[Joe O]

Zone Alarm is a good idea.
How is your network connected to the internet? If ther is a single point of connection, disable(unbind)NetBios on that adapter(Modem/NIC). You can leave it bound on the adapters that correspond to your internal network. Put nonobvious share passwords on in any case. Yes it's "more convenient" to not use passwords, but very dangerous.

 

[bfour]

Only 2 machines connect to the net, mine and hers, the server is on the network, but not very easily found, even as a PDC!

 

[The Stigenator]

check this link

http://forums.anandtech.com/messageview.cfm?catid=27&threadid=252959

go from there.. and navigate to trend micro's website.

 

[JonB]

Anyone have an idea what IP address this bymer@ukrpost.net
dude hacks in on? I've got ZoneAlarm and it logs attempts to connect, so I'd like to see if he's tried me. My dnetc.ini file is still normal, and I don't have printer/file sharing on for TCP/IP on the modem, so it would be tough.

Any hints what I should look for in the ZoneAlarm log file?

[edit]

OK, I've imported the log file into Excel, converted it and sorted it. Wow. There are some persistent SOBs out there who try port after port after port. So far, none of them will return a DNS entry when I "ping -a" them.

Here's one that tried 200 times in the last month.

216.167.25.145 He is now officially on my sh*t list.

 

[ElFenix]

jonB, could be your isp's own automated security script. i know that roadrunner had one when i was on there. most attempts aren't malicious, just random pings. i do know this one guy who gets his kicks by guessing IPs on the local roadrunner net, finding people's comps that give anyone read/write access, and then "playing" with their files, usually just putting a txt file on the desktop entitled "your computer is completely wide open you fvcking moron!"

 

[Lord Demios]

Ok, this is a little trick that I'm sharing because it's cool, and as an ISP admin, we recommend it.

If you are getting constant port scans or problems from a single IP, or a Subnet, then try this trick.

In Linux, setup a route rule that takes all traffice from the IP of the offender, then tell your machine to forward all of that traffice to 127.0.0.1

For those of you not familier with what this does: Every machine that has a network interface, should have a localhost IP. This is ALWAYS 127.0.0.1 (note when I say always, I mean that it's rare to find an exception, but don't get mad if their is one). Anyway. If you ping the IP 127.0.0.1 it will ping your local machine. What this route command does, is say. Ok, all traffic from this persons IP, redirect it to 127.0.0.1. On the offenders end, his machine tries your IP, (finds a hole?) he then starts trying to hack it. mean while, your machine is just resending everything he does back to his own machine.

This works on portscans, file sharing hacks, and pretty much ANY tcp/ip traffic.

Nothing is more fun then watching a Dum Bass, screw up his own machine because your firewall redirected his attack back at him.

Just a little trick.

LD

 

[bfour]

Well the worm free helped, it's back on the network and cracking!

 

[Zach]

Use a non-routable protocol for sharing, like IPX/SPX.

 

[JonB]

ElFenix, it isn't my ISP. Wrong subnet. The pings I get from my ISP (I looked) are all listed as DNS checks. According to ZoneAlarm, that is a common practice for an ISP.

What gets me is the IP addresses that run down a whole series of ports, two or three per second, for several minutes. One of them was a Guitar-related website that my son had visited.

It doesn't seem like anybody is getting past my firewall (yet), so I'm not too paranoid, but they are out there.

 

[ElFenix]

gotta wonder why a guitar website is sniffing ports... glad i'm behind a firewall. sure, its just the linksys one, but its hardware. heh, i should put my roomie's old hardware firewall in between it and the modem, then put a zonealarm on my comp, 3 layers of security here i come! =)

 

[1KrazyFool]

<< Use a non-routable protocol for sharing, like IPX/SPX. >>



IXP/SPX is routable. NetBEUI is not.

You can always unbind File sharing from the internet NIC and leave it bound to the private network NIC. This would cure those problems. That's if you have a private network.

 

[Darkone]

you might find you were &quot;infected&quot; rather than &quot;hacked&quot;.

See below from the Trend AntiVirus site ( www.antivirus.com )

TROJ_MSINIT.A (New Trojan reported in-the-wild)
------------------------------------------------------------------------
TROJ_MSINIT.A is a new Trojan, which was recently reported from
several customers around the world. Once executed, this Trojan modifies
the registry so that it is executed every time the system is started. It also
attempts to spread itself to other computers by scanning IP addresses over
NetBIOS. It searches for computers with a shared c:\ drive, which also contains
the &quot;Windows&quot; directory. On an infected system, TROJ_MSINIT.A runs the file &quot;DNETC.EXE&quot;, an encryption-cracking program.
Additional information about TROJ_MSINIT.A (a.k.a. Win32.Trojan.Bymer) is available
on our website at:


http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MSINIT.A

 

[bfour]

It is not a VIRUS! I have been doing computers for 15 years and specialize in virus damage repair. It was as I said a hack, the &quot;PERP&quot; came in through file and print sharing, which was unfortunately bound to the dial-up adapter, by default in Windows, and of course additional methods have been taken to limit this type of damage from happening again. We do not have the option of DSL, cable or even a frame relay connection, the telco will not give any lines up! Otherwise everything would be behind a firewall and come through our server!

 

[Darkone]

ok.. no need to get hyper.. I merly pointed it out as the particular individual you outlined in your config file has been propogating the &quot;Virus&quot; under his ID. I say virus, I know technically its a trojan, thats wrongly labled as a virus. My friend, I also have been in the &quot;Security&quot; world for a long time now, so please.. dont address me as if I was a luser next time.. I was only trying to give some insight.

D

(removing his RC5 machines as we speak.. )