Re: Windows 98 box is 'owned'
From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 10/01/04
- Previous message: Leong Kok Wah Kenneth: "RE: Hard Drive data security"
- Maybe in reply to: Darren Kirby: "Re: Windows 98 box is 'owned'"
- Next in thread: GuidoZ: "Re: Windows 98 box is 'owned'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Oct 2004 02:03:52 +0200 To: security-basics@securityfocus.com
On 2004-09-29 Darren Kirby wrote:
> Anyway, I found a directory right in C: named 'Downloads', and inside
> were about 50 or so files, which were all warez, porn, windows
> exploits and cracker 'howto's. Quite obviously this computer is owned,
> and is being used as a warez server. I deleted the files, booted win,
> but they reappeared after about 10 minutes. The strange thing is that
> these files are ALL 29k, and all have filenames like:
>
> Adobe Photoshop crack.exe
> Smashing the Stack.txt.exe
> Eminem - full album.mp3.exe
> Office 2003 full.exe
Probably some sort of virus.
> ...
> On further inspection I found an identical directory at
> C:/windows/Downloaded Program Files/. God only knows how many trojans
> and other nasties are sprinkled around...
[...]
> Seems that a complete OS reinstall is in order,
Definitely yes.
> but it seems to me that if they can own her box once they can own it
> again just as easy, which leads me to this list...I would like to try
> some investigating, and try to figure out where the backdoor is, what
> exactly they are doing...
First you should take an image of the system (just in case).
Is file and printer sharing installed and bound to the dialup-adapter?
That is one route the infection may have happened. Another possible
route is using IE/OE for web/mail. However, since Windows 98 doesn't
produce many logs, identifying the malware may be the most promising
approach.
I would say a live analysis should be sufficent in your case. Use some
sort of process viewer (like PrcView [1] or Process Explorer [2]) to
find out, what processes are currently running. The Task-Manager won't
suffice. Since you're familiar with Linux, the UnxUtils [3] may be
useful as well.
Use netstat or TCPView [4] to find out, if there are unusual open ports.
Use Silent Runners [5] or SysInternal's autoruns [6] to take a look at
what software is started automatically and from where. Feed those files
to a virus scanner with most recent signatures. The scan should *not* be
run from the live system. Rather copy the files to another box and scan
them on that box.
Running strings [7] against the files may give some additional pointers.
HTH
[1] http://www.teamcti.com/pview/prcview.htm
[2] http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
[3] http://unxutils.sf.net/
[4] http://www.sysinternals.com/ntw2k/source/tcpview.shtml
[5] http://www.silentrunners.org/
[6] http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
[7] http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
Regards
Ansgar Wiechers
-- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
- Previous message: Leong Kok Wah Kenneth: "RE: Hard Drive data security"
- Maybe in reply to: Darren Kirby: "Re: Windows 98 box is 'owned'"
- Next in thread: GuidoZ: "Re: Windows 98 box is 'owned'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
