Re: XP PRO Hack Attack--How?
- From: carmen.dlf@xxxxxxxxx
- Date: Wed, 12 Dec 2007 15:03:46 -0800 (PST)
On Dec 11, 2:25 pm, "RD" <reddog...@xxxxxxxxxxx> wrote:
This is probably not the correct newsgroup, but I'll take a chance. I left
one of my computers in the DMZ the other day accidentally. I use a Linksys
router connected to a cablemodem. The Linksys is setup for home use, and has
3 computers and a printer connected to it. Somehow, a hacker disabled my
AntiVir AV software on the PC that was in the DMZ, setup a rule in Zone
Alarm to allow rogue lsass.exe and svchost.exe programs full access to
everything, created a folder called C:\RECYCLED, and ran a script to set up
Serv-U FTP Server listening on port 444 and 43958. There is an entry in the
Serv-U ini file called [USER=wonderland|1]. I had just happened to waltz
into the computer room and saw a DOS box executing scripts and thought,
'that can't be right'. So I immediately unplugged the PC from the network
and started doing some digging. The above is what I found. My question is,
how in the world did someone find me on the Internet and get all that
accomplished?
After backing up my hard drive to an image file and later scrubbing the
suspected Trojan, I took the RECYCLED folder from my backed up image and
copied it to a VMWARE image to see what it did, and to see if the hacker
would come back. I put the VMWARE machine's IP address in the DMZ. The virus
program ran a setup batch file, then an info program that somehow scanned
the local hard drives on the host pc and reported their size and free space
in a text file in C:\RECYCLED on the VMWARE machine. That concerned me as
the VMWARE machine was bridging into my actual PC. So, not knowing what I
was doing, I shut it all down, deleted the VMWARE image, and disabled the
DMZ and all port forwarding on my router. I don't have any of my hard drives
shared, other than the Admin shares XP creates which I know little about and
really don't understand how to get rid of. There are only two user accounts,
both have administrator rights and unique passwords. The guest account is
disabled. I would like to hear explanations on how all that stuff happened,
and with the router back in action, whether or not anyone thinks it can
happen again. Thanks!
RD
I would assume that the machine has been completely compromised and
would plan on doing a complete clean rebuild. More than likely your
machine was compromised with a known/unknown windows vulnerability,
which gave the attacker full system privlidges. Shutting down
antivirus/firewalls is trivial with full system access. Normally a
simple 'net stop' command will disable both. The attacker then most
likely installed backdoors/Serv-U at this stage. He/She also probably
dumped and cracked your Windows passwords, again not difficult to do.
A good tip is to ensure Windows passwords are a minumum of 15 letters.
It is not safe to assume that an Antivirus will detect any of these
backdoors and you're lucky it detected the serv-u even. As stated
previously the hacker is most likely not interested in your personal
files, but more interested in using your machine to:
(a) Send spam
(b) Scan for more vulnerable machines
(c)Host warez
Best of luck with your problem
Carmen
.
- Follow-Ups:
- Re: XP PRO Hack Attack--How?
- From: Sebastian G.
- Re: XP PRO Hack Attack--How?
- References:
- XP PRO Hack Attack--How?
- From: RD
- XP PRO Hack Attack--How?
- Prev by Date: Re: Blue Star Virus
- Next by Date: Re: XP PRO Hack Attack--How?
- Previous by thread: Re: XP PRO Hack Attack--How?
- Next by thread: Re: XP PRO Hack Attack--How?
- Index(es):
Relevant Pages
|
