Re: XP PRO Hack Attack--How?


"anders" <andersajja@xxxxxxxxxxx> wrote in message
news:fjmaiq$baj$1@xxxxxxxxxxxxxxxxxxxx
Den Tue, 11 Dec 2007 09:25:35 -0500 skrev RD:

This is probably not the correct newsgroup, but I'll take a chance.

It is.

I left one of my computers in the DMZ the other day accidentally.

Accidentally..? hm... You played along a little wasn't you. ;-)

I use a Linksys router connected to a cablemodem. The Linksys is setup
for home
use, and has 3 computers and a printer connected to it. Somehow, a
hacker disabled my AntiVir AV software on the PC that was in the DMZ,
setup a rule in Zone Alarm to allow rogue lsass.exe and svchost.exe
programs full access to everything, created a folder called C:\RECYCLED,
and ran a script to set up Serv-U FTP Server listening on port 444 and
43958. There is an entry in the Serv-U ini file called
[USER=wonderland|1]. I had just happened to waltz into the computer room
and saw a DOS box executing scripts and thought, 'that can't be right'.
So I immediately unplugged the PC from the network and started doing
some digging. The above is what I found. My question is, how in the
world did someone find me on the Internet and get all that accomplished?

I don't believe there was a physical human behind the attack, most
certainly a program that was making what was necessarily to get you're PC
in to some sort of an boot-net (spam is probably the game here).

After backing up my hard drive to an image file and later scrubbing the
suspected Trojan, I took the RECYCLED folder from my backed up image and
copied it to a VMWARE image to see what it did, and to see if the hacker
would come back. I put the VMWARE machine's IP address in the DMZ. The
virus program ran a setup batch file, then an info program that somehow
scanned the local hard drives on the host pc and reported their size and
free space in a text file in C:\RECYCLED on the VMWARE machine. That
concerned me as the VMWARE machine was bridging into my actual PC. So,
not knowing what I was doing, I shut it all down, deleted the VMWARE
image, and disabled the DMZ and all port forwarding on my router. I
don't have any of my hard drives shared, other than the Admin shares XP
creates which I know little about and really don't understand how to get
rid of. There are only two user accounts, both have administrator rights
and unique passwords. The guest account is disabled. I would like to
hear explanations on how all that stuff happened, and with the router
back in action, whether or not anyone thinks it can happen again.
Thanks!

RD

Yes it can happen again, don't put a machine in the DMZ with out an
proper firewall that can lock that machine down to a minimum of services
and don't run anything but what ever you absolutely need on an machine in
the DMZ zone.
My advise is that you flatten and rebuild that machine before you put it
on you're LAN again.

/Anders

A little more digging reveals that the software that was placed on the
machine was indeed an FTP server. The lsass.exe and svchost.exe were renamed
program files for Serv-U. Apparently, ZA doesn't check file integrity in its
automatic rule setup, just the filename? At any rate, the Trojan
(BDS/Iroffer.13b9.1 [BDS/Iroffer.13b9.1] according to AntiVir) apparently
sets up this server for others to use as a repository to upload and download
files from the Net. This is the most clever thing I have ever seen, and I
would really like to know if anyone can explain in detail how it was
deployed on my machine. I cannot understand how it passed through ZA to
begin with. The only thing I can tie it to is my leaving the machine in the
DMZ, and possibly a site for an online Taipei game that a member of my
family visited. The new Windows Live Messenger might also be suspect as that
whole program looks like a security breach.

RD


.

Relevant Pages

  • Re: XP PRO Hack Attack--How?
    ... I put the VMWARE machine's IP address in the DMZ. ... and disabled the DMZ and all port forwarding on my router. ... There are only two user accounts, ...
    (comp.security.firewalls)
  • Re: XP PRO Hack Attack--How?
    ... AntiVir AV software on the PC that was in the DMZ, setup a rule in Zone ... I put the VMWARE machine's IP address in the DMZ. ... DMZ and all port forwarding on my router. ...
    (comp.security.firewalls)
  • XP PRO Hack Attack--How?
    ... one of my computers in the DMZ the other day accidentally. ... AntiVir AV software on the PC that was in the DMZ, ... I put the VMWARE machine's IP address in the DMZ. ... was doing, I shut it all down, deleted the VMWARE image, and disabled the ...
    (comp.security.firewalls)
  • Re: XP PRO Hack Attack--How?
    ... one of my computers in the DMZ the other day accidentally. ... The Linksys is setup for home use, and has 3 computers and a printer connected to it. ... I put the VMWARE machine's IP address in the DMZ. ... So, not knowing what I was doing, I shut it all down, deleted the VMWARE image, and disabled the DMZ and all port forwarding on my router. ...
    (comp.security.firewalls)
  • Re: Hosting a FTP server
    ... Why do you want to put it in a DMZ? ... My concern is that adminisration of the FTP server running Windows 2003 ... Are the 55 clients on the 'outside' or on your LAN? ...
    (microsoft.public.windows.server.networking)