Re: Recovery from total hack

From: Miha Pihler (
Date: 08/05/03

Date: Tue, 5 Aug 2003 22:21:36 +0200

Hi Rob,

Personally I like to Create new User and give him User name e.g. "Jack" with
full admin permissions and then disable Administrator Account. This will
prevent anyone from knowing in advance who my admin is. I is not much but it
is something. Then you can monitor failed logon attempts and see if anyone
is trying to use administrator account.
Well of course passwords should be strong :-) ...

Often on my PCs my user account is the only admin (Not on servers! On my
desktops, laptops, etc...). I know this can be "dangerous" but I export my
EFS keys and store them in safe location. Anything else is a matter of
taking ownership if files in worse case scenario... I guess I could lose one
day work by having to reinstall my laptop ... :-)

About phoning home. That's the reason why I am telling you to check and
close on unnecessary outgoing connections. Allow only outbound to mail
services, DNS, web, and other service that you _need_. Deny everything


"Rob" <> wrote in message
> Thanks for the advice!
> I have changed all users, all passwords, reinstalled
> Norton and the firewalls, and made sure the firewalls had
> new settings ie no 'remembered' programs from the previous
> installation.
> BTW, the admin pw on all machines was very weak, guess I
> need to practice at home what I preach at work.
> I guess what I'm worried about is that some executable
> they left is phoning home thru the firewall [think...
> keystroke logger] using an allowed program, such as the
> services and controller app. I think I'll put everything
> on watch for a bit , pain in the butt, but I can see
> when/why/where they are trying to communicate with that
> way.
> >-----Original Message-----
> >Hi Rob,
> >
> >Some answers and my views...
> >
> >1) You said you saw Dameware in your PC. I guess they
> guessed one of your
> >passwords and installed it. If they had your admin
> password then they could
> >also stop your antivirus... Dameware is a legit program
> (and very nice one
> >:-) ...) so antivirus didn't react to it either.
> >
> >2) I wouldn't :-), but I like challenges :-). Seriously I
> think you have
> >done everything you could to clean out your PCs. If you
> are serious about
> >format then you would have to format all 4 PCs at the
> same time. None of
> >them should be up while you format the other or you have
> done nothing. If
> >you are afraid that you still have something on your PC
> that hackers might
> >have left and you format one PC at the time your now
> clean PC would get
> >infected from the other three that are not yet
> formatted :-)
> >What I would do is make really sure I change ALL the
> passwords on all the
> >users. If possible change the usernames as well and turn
> on logging. The
> >second thing I would do is recheck what kind of traffic
> is allowed to the
> >internet. I would close down everything that is not
> necessary. (Do you allow
> >TFTP out on the internet from your PC? Why? Do you need
> it?) :-) ... Close
> >down all ports that you don't need. Monitor outgoing
> traffic.
> >Check your guest accounts. They should be disabled. Check
> if IIS and FTP is
> >running and it shouldn't...
> >
> >3. Hard to tell. Keep an eye on your bank accounts.
> >4. Look at #1
> >
> >--
> >Mike
> >MCSA 2K, MCSE 2K, MCT, ...
> >
> >"Rob" <> wrote in message
> >news:048301c35b84$cc58fae0$a101280a@phx.gbl...
> >> My system: Win2K, kept completely updated always.
> Running
> >> NAV Corp ed 7.51 and an older version of Zonealarm [I
> dont
> >> like the new version], on a peer to peer Win2K home
> >> network behind a Linksys router on cable internet. I
> was
> >> testing the firewall a few weeks ago. Ran tests with
> the
> >> firewall down, and with the CPU in question in the DMZ
> of
> >> the router, to compare results. Kid falls off swingset,
> >> breaks leg, I run off and FORGOT to take the PC out of
> the
> >> DMZ and turn on the firewall! It was this way for a few
> >> weeks. In the second week, I get three viruses caught
> and
> >> isolated by Norton, all three having in common that they
> >> attempt to spread via network shares, so I suspect my
> >> son's machine, but find nothing there. Then I observe
> one
> >> morning independant mouse movement while I'm reading
> >> email, 6am. Sure enough, Dameware mini remote is
> running,
> >> plainly visable in the task tray. I disable the net
> card,
> >> forcibly rip out the dameware [after looking to see when
> >> it was installed]. I see I have dameware entries in the
> >> system log only since last night at 2am or so. This
> >> matches creation dates from the dameware directory and
> >> mailer installed in system32. Also present is a stand-
> >> alone SMTP mailer which has apparently been sending spam
> >> using my computer - i can provide detail if needed - a
> >> company from germany advertising anti-spam software [in
> >> german][ironic]. I ad-aware and virus check all 4
> >> computers in the house completely with negative results,
> >> change all usernames and pw's on all 4 computers on the
> >> home network, reinstalled norton AV on all computers,
> >> checked for added users [none], re-installed zonealarm
> and
> >> with reset config settings on all computers in the
> house.
> >> I put the comprimised machine back on the network, still
> >> in the DMZ, with the firewall up. I'm getting tons of
> >> hits from Germany on port 445. Hmmm. Took my system back
> >> out of the DMZ. All seems to be normal with no hits on
> >> the firewalls either in or out.
> >> Questions:
> >> 1. How did they get in without tripping the anti-virus?
> >> Is there still a trojan of some sort hiding in there?
> >> 2. Should I format my system? Why?
> >> 3. How concerned should I be about ID theft since they
> >> owned my system, possibly for a week? I've been
> watching
> >> all credit and bank accounts very closely, nothing
> >> suspicious yet.
> >> 4. Repeat of No. 1: How the heck did they get in in the
> >> first place?
> >>
> >> Any good advice would be appreciated...
> >>
> >> Sheepish MCSE...
> >> .
> >>
> >>
> >
> >
> >.
> >