Re: Recovery from total hack

From: Miha Pihler (miha.pihler_at_Atlantis-N0Spam.si)
Date: 08/05/03 

Date: Tue, 5 Aug 2003 21:42:07 +0200

Hi Rob,

Some answers and my views...

1) You said you saw Dameware in your PC. I guess they guessed one of your
passwords and installed it. If they had your admin password then they could
also stop your antivirus... Dameware is a legit program (and very nice one
:-) ...) so antivirus didn't react to it either.

2) I wouldn't :-), but I like challenges :-). Seriously I think you have
done everything you could to clean out your PCs. If you are serious about
format then you would have to format all 4 PCs at the same time. None of
them should be up while you format the other or you have done nothing. If
you are afraid that you still have something on your PC that hackers might
have left and you format one PC at the time your now clean PC would get
infected from the other three that are not yet formatted :-)
What I would do is make really sure I change ALL the passwords on all the
users. If possible change the usernames as well and turn on logging. The
second thing I would do is recheck what kind of traffic is allowed to the
internet. I would close down everything that is not necessary. (Do you allow
TFTP out on the internet from your PC? Why? Do you need it?) :-) ... Close
down all ports that you don't need. Monitor outgoing traffic.
Check your guest accounts. They should be disabled. Check if IIS and FTP is
running and it shouldn't...

3. Hard to tell. Keep an eye on your bank accounts.
4. Look at #1 

-- 
Mike
MCSA 2K, MCSE 2K, MCT, ...
"Rob" <handyman42m@NOcomcastSPAM.net> wrote in message
news:048301c35b84$cc58fae0$a101280a@phx.gbl...
> My system: Win2K, kept completely updated always. Running
> NAV Corp ed 7.51 and an older version of Zonealarm [I dont
> like the new version], on a peer to peer Win2K home
> network behind a Linksys router on cable internet.  I was
> testing the firewall a few weeks ago.  Ran tests with the
> firewall down, and with the CPU in question in the DMZ of
> the router, to compare results.  Kid falls off swingset,
> breaks leg, I run off and FORGOT to take the PC out of the
> DMZ and turn on the firewall!  It was this way for a few
> weeks.  In the second week, I get three viruses caught and
> isolated by Norton, all three having in common that they
> attempt to spread via network shares, so I suspect my
> son's machine, but find nothing there. Then I observe one
> morning independant mouse movement while I'm reading
> email, 6am.  Sure enough, Dameware mini remote is running,
> plainly visable in the task tray.  I disable the net card,
> forcibly rip out the dameware [after looking to see when
> it was installed]. I see I have dameware entries in the
> system log only since last night at 2am or so.  This
> matches creation dates from the dameware directory and
> mailer installed in system32. Also present is a stand-
> alone SMTP mailer which has apparently been sending spam
> using my computer - i can provide detail if needed - a
> company from germany advertising anti-spam software [in
> german][ironic]. I ad-aware and virus check all 4
> computers in the house completely with negative results,
> change all usernames and pw's on all 4 computers on the
> home network, reinstalled norton AV on all computers,
> checked for added users [none], re-installed zonealarm and
> with reset config settings on all computers in the house.
> I put the comprimised machine back on the network, still
> in the DMZ, with the firewall up.  I'm getting tons of
> hits from Germany on port 445. Hmmm. Took my system back
> out of the DMZ.  All seems to be normal with no hits on
> the firewalls either in or out.
> Questions:
> 1. How did they get in without tripping the anti-virus?
> Is there still a trojan of some sort hiding in there?
> 2. Should I format my system?  Why?
> 3. How concerned should I be about ID theft since they
> owned my system, possibly for a week?  I've been watching
> all credit and bank accounts very closely, nothing
> suspicious yet.
> 4. Repeat of No. 1: How the heck did they get in in the
> first place?
>
> Any good advice would be appreciated...
>
> Sheepish MCSE...
> .
>
>