Re: Recovery from total hack

From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 08/05/03 

Date: Tue, 05 Aug 2003 21:47:41 GMT

On Tue, 5 Aug 2003 12:07:21 -0700, "Rob"
<handyman42m@NOcomcastSPAM.net> wrote:

>My system: Win2K, kept completely updated always. Running
>NAV Corp ed 7.51 and an older version of Zonealarm [I dont
>like the new version], on a peer to peer Win2K home
>network behind a Linksys router on cable internet. I was
>testing the firewall a few weeks ago. Ran tests with the
>firewall down, and with the CPU in question in the DMZ of
>the router, to compare results. Kid falls off swingset,
>breaks leg, I run off and FORGOT to take the PC out of the
>DMZ and turn on the firewall! It was this way for a few
>weeks. In the second week, I get three viruses caught and
>isolated by Norton, all three having in common that they
>attempt to spread via network shares, so I suspect my
>son's machine, but find nothing there. Then I observe one
>morning independant mouse movement while I'm reading
>email, 6am. Sure enough, Dameware mini remote is running,
>plainly visable in the task tray. I disable the net card,
>forcibly rip out the dameware [after looking to see when
>it was installed]. I see I have dameware entries in the
>system log only since last night at 2am or so. This
>matches creation dates from the dameware directory and
>mailer installed in system32. Also present is a stand-
>alone SMTP mailer which has apparently been sending spam
>using my computer - i can provide detail if needed - a
>company from germany advertising anti-spam software [in
>german][ironic]. I ad-aware and virus check all 4
>computers in the house completely with negative results,
>change all usernames and pw's on all 4 computers on the
>home network, reinstalled norton AV on all computers,
>checked for added users [none], re-installed zonealarm and
>with reset config settings on all computers in the house.
>I put the comprimised machine back on the network, still
>in the DMZ, with the firewall up. I'm getting tons of
>hits from Germany on port 445. Hmmm. Took my system back
>out of the DMZ. All seems to be normal with no hits on
>the firewalls either in or out.
>Questions:
>1. How did they get in without tripping the anti-virus?

It wasn't a virus.

>Is there still a trojan of some sort hiding in there?

How should we know? How would you know?

>2. Should I format my system? Why?

Yes. Because you had to ask the question above.

>3. How concerned should I be about ID theft since they
>owned my system, possibly for a week? I've been watching
>all credit and bank accounts very closely, nothing
>suspicious yet.

Probably unlikely. You should always be concerned, but that probably
wasn't what they were after.

>4. Repeat of No. 1: How the heck did they get in in the
>first place?

Repeat of answer 1: How should we know? Maybe a trojan delivered in
an email, or an embedded link you launched unwittingly. Without
firewall logs, as well as auditing logs from your system, it's tough
to tell much further. If you'd like us to perform a forensic
analysis, just post your credit card info... :)

>Any good advice would be appreciated...

Wipe. Reinstall. Pay better attention to security this time around.

>Sheepish MCSE...

Most good security admins got that way by figuring out how to fix the
security they screwed up. Welcome to the first step. :)

Jeff