Re: Help Me Clean up a Hacker's Mess!
From: D. Small Gilligan (jgillig1@nycap.rr.com)
Date: 10/13/02
- Next message: Art: "Re: messenger service and source logging"
- Previous message: Shannon Jacobs: "Re: Yet another extremely serious OE bug"
- In reply to: Karl Levinson [x y] \(MVP\): "Re: Help Me Clean up a Hacker's Mess!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "D. Small Gilligan" <jgillig1@nycap.rr.com> Date: Sat, 12 Oct 2002 22:32:30 -0400
Karl, thank you, thank you.
With 6 days of frantic research after a hacker set up a PipeCmd Service on my
computer, I feel as though I have just taken a crash course with Einstein. Have
learned much about my computer, including how to use Administrator Tools to
review all of the things I'm supposed to be taking care of - also found the
setting to disable that service for the interim fix. Had installed a firewall
some time ago, but now I have figured out how to configure it after I missed my
first chance at first run. So far I have it jacked up too high, but am logging
the alerts to that I will be able to figure out what changes have to be made.
Your very kind help has removed the panic I experienced for 6 days. Your
comments and instructions, combined with my research finds on computer "guts"
have pointed me in the right direction. I also did request from the firewall to
activate logging, as you suggested.
Actually, I had all windows updates and patches. However, my LARGEST MISTAKE was
not having a good upfront password or two. And I am now ready to buckle down and
probably strip down this animal and start over. Again, thanks, much. d small
gilligan
...............................................
"Karl Levinson [x y] (MVP)" <levinson_k@excite.com> wrote in message
news:egrmtzFcCHA.1748@tkmsftngp12...
> It's kind of hard to learn this stuff madebefore
> formatting it, to determine the nature of the hack and the hacker, which
> will help harden this machine and investigate others for other compromises.
> "Cleaning the registry" is not usually the preferred response to a
> successful hacking.
>
> If there are any clues, they would likely be in a log file on the computer,
> your firewalls [you do have one or more firewalls, correct?] and/or your
> upstream routers, assuming they've already been configured to log traffic.
> If you don't have these clues, you might be very lucky and be able to
> configure logging and possibly sniffer software such as Ethereal or Windump
> and see the hacker, if the hacker returns.
>
> My guess is that you were missing a Microsoft service pack and/or had a
> vulnerable service running. Downloading and running HFNETCHK and/or MBSA
> from www.microsoft.com/download should enumerate missing patches [both] and
> other service vulnerabilities [MBSA].
>
> There are a number of free firewalls out there, including Sygate software
> [free for non-commercial use], Smoothwall / IPcop [just two of the free
> linux firewalls out there, require an old 486 / 586 / 686 PC], or hardware
> devices such as Linksys and Netgear start around $70 US. Be sure to
> configure logging. You'll also find a variety of helpful investigation
> tools at www.foundstone.com, www.sysinternals.com, and www.gfi.com such as
> fport, pstools including pslist and psloggedon, and the GFI Languard File
> Integrity Checker [hidden under the Languard White Papers link]
>
> This is by no means everything you need to know if you choose to investigate
> the hacking, but I hope this helps anyways.
>
> "D. Small Gilligan" <jgillig1@nycap.rr.com> wrote in message
> news:ug4GMC#bCHA.1424@tkmsftngp10...
> > I am requesting help because of a Windows 2000 vulnerability that has
> happened
> > to me in the last few days. I have not received any constructive help on
> the
> > McAfee forum (see why below*) nor a response from my ISP. At the end is
> my
> > computer stats.
> > .
> > THE PROBLEM
> > When I clicked into a new WORD document (I only just pasted a picture into
> it),
> > my virus alert popped out. I let it delete a file containing a virus
> called
> > Fluxay.gen (see note below*). The container was a file called NTCmd.exe.
> Just to
> > be sure, I ran the VS (all files) (twice in three days) and I was clean.
> >
> > Afterward, I found on my HD:
> > C:\6q (new folder which has three files in it)
> > directx.exe
> > go.bat
> > PipeCmd.exe
> > .
> > MY REQUEST FOR HELP
> > (1) These do not belong on my machine in this way
> > (2) I need instructions to get them out of my system
> > (3) Since I'm not familiar with all the files that are 'legal' in WIN2000,
> I am
> > hesitant about cleaning the registry in this case, though there are
> multiple
> > references to PipeCmd and PipeCmd Service there.
> > (4) I did use the command prompt to delete the above files, but after
> restart,
> > they have returned to C: in a new folder named 7a.
> > .
> > MY RESEARCH ON THE SUBJECT
> > In researching this, I found an Oct 4 2002 communication between two techs
> > discussing the subjects of ntcmd and PipeCmd, and Fluxay, a part of a
> hacker's
> > tool kit. His communication contained a Chinese translation of how the
> PipeCmd
> > Service work. After reading this I determined that I had been hacked,
> with the
> > (now deleted) virus having been introduced into the file called NTCmd.exe.
> The
> > URL is:
> > http://online.securityfocus.com/archive/75/294139/2002-10-03/2002-10-09/0
> >
> > Does anyone understand the information in the URL article to be able to
> tell me
> > how to get rid of the residue? Apparently the pipe is directed to my
> computer,
> > but I'm not a technician and do not know what to do to (kill the
> connection) or
> > to (clean up the mess). I typed C:\>netstat -an to see a list of active
> > connections. There are
> > 9 TCP 'listening' connections (mostly for winupdates, mcafee, etc)
> > 1 TCP 'established' (labeled IP Address)
> > 7 UDP (each labeled *.*
> > (those items are sort of 'greek' to me)
> > _____________________
> > *I think there was not a good answer from McAfee because this article is
> > declaring that fluxay is not a virus but part of a hacker's toolkit. I
> think the
> > reason my VS deleted the virus was not because it was called fluxay, but
> because
> > its file extension was .gen. The McAfee Library includes the .gen
> extension in
> > its scanning as suspect, but the library does not contan the word/phrase
> Fluxay.
> > _____________________
> > Windows 2000 Pro 5.0 2195 SP2 NTFS Standalone
> > I am administrator and sole user except for my technician (who is in
> Boston this
> > week)
> > Do not have IIS installed on my computer.
> > Windows & Critical Updates (Not SP3) up to Oct 8 2002
> > McAfee Virus Scan 6.02.3000 DATS: 4.0.4227 Engine 4.1.6.0
> > Internet Explorer 6.0.2800.1106 + patches & SP1 Outlook Express
> > ISP: TW Road Runner (use a unix server to upload a second web)
> >
> >
>
>
- Next message: Art: "Re: messenger service and source logging"
- Previous message: Shannon Jacobs: "Re: Yet another extremely serious OE bug"
- In reply to: Karl Levinson [x y] \(MVP\): "Re: Help Me Clean up a Hacker's Mess!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
