Security Incidents mailing list archives
Re: Re: They got me!!!
From: "Eliah Kagan" <degeneracypressure () gmail com>
Date: Thu, 6 Apr 2006 21:19:49 -0400
1) rootkits,trojans..ect are put there by people with a lot more knowledge then the average person. In most cases, you will never Find the person.
If the attack is personal, rather than impersonal and automated, then you may well find the person. For instance, many stalkers are also (albeit older than the stereotype would have you believe) script kiddies, and combine the two. A little investigatory work can often reveal the identity of the attacker. Rootkits and trojans are often used by people who know how to followed dumbed-down directions on a website, and no more. And even when they are installed by highly competent malicious hackers, people make mistakes. Consider computer crime as a subset of crime in general. Many if not most people who are stalked or anonymously harassed strongly suspect one individual as the culprit, and are right. Professional investigators typically obtain their first lead or leads by asking the victim who the victim thinks is the culprit. If your box has been owned and it looks like a personal attack rather than an automated one, you might already know who did it. (Or it could very well be one of your kids' friends or enemies from school.) In the case being discussed in this thread, though, there doesn't seem to be any compelling evidence thus far revealed to suggest that the attack was personal. It was probably automated: spyware, exploitation of a bug in IE, malware spammed in by email, and so forth, as people have suggested. It is important to recognize that common spyware often uses rootkits. The two most celebrated examples are CoolWebSearch and the DRM rootkit that Sony used. Substantial programming skill is needed to write a rootkit, not to use one on somebody.
6) I know Zone Alarm can do this, I'm sure yours can. - set program control to not allow anything to run without prompting you. Make sure You erase any past access. Reboot the box and see what wants to run on your box.
Program control is a useful tool, but it is not guaranteed to work against a kernel-mode rootkit. Once a hacker can run arbitrary code on your system, you can never trust anything your system (that is, any program of any kind running on your system) tells you. The whole point of rootkits is to make detection and prevention methods--like program control--fail silently. -Eliah On 4/6/06, Levenglick, Jeff <JLevenglick () fhlbatl com> wrote:
It is always nice to learn, but in a lab. You need to keep in mind of the following: 1) rootkits,trojans..ect are put there by people with a lot more knowledge then the average person. In most cases, you will never Find the person. 2) You are dealing with your own box. Your info..ect is on that box, you really do not want to play around with it, do you? Without a sniffer or a honey box you will have a hard time trying to see all the steps taken to get your box. I would suggest the following: 1) run netstat -an and save the output. 2) remove the box from any networks 3) run netstat -an and save it to another file. 4) compare the two files. Did something wake up or did something die? 5) look for strange ports. Check google to see what the port is known for. 6) I know Zone Alarm can do this, I'm sure yours can. - set program control to not allow anything to run without prompting you. Make sure You erase any past access. Reboot the box and see what wants to run on your box. The above should get you some information to google. Usually you can find out what the trojan/root kit does and how it is installed. If nothing comes up, then someone might have run an exploit to connect to your box and then got off. The only way to find out at this point is To check your router logs. Look for multiple connects to ports from the same ip. If your lucky you might see a scan with 50+ trys within one minute. If you still do not see anything, then assume something was run on the pc first. You should see in the log file a connection going to an outside ip on a strange port. Or one the keeps connecting each day to the same ip...ect.. -----Original Message----- From: pentesticle () yahoo com [mailto:pentesticle () yahoo com] Sent: Thursday, April 06, 2006 10:21 AM To: incidents () securityfocus com Subject: Re: Re: They got me!!! Yes, I want to learn something from this so want to find out what/how the access was obtained. I feel I have the computers as secure as Microsoft allows (WinXP Pro). I check for patches regularly (weekly). I have most built-in accounts disabled. The accounts all run at a regular user priviledge. This particular machine does act as a print server for my network, but I have anonymous access restricted and only allow authenticated connections. I restrict remote admin access, but not sure if it can be bypassed somehow. The kids do play the internet games and surf the funny video sites and I do have a teen that check web mail, but none of them are "supposed" to have access to install (ie regular user account). I have software firewalls (Symantec) running on the machine behind a Linksys router/firewall as my gateway. So far I haven't any spyware on the box, only attempts, when I run my nightly scans and review the logs files. Since I didn't have my sniffer running at the time I really want to see if I can find out what happened and how it happened. I'm somewhat concern if my border device may possibly be compromised as well. Unfortunately Linksys is pretty limited on the abilities to manage the device. None of my other PC's on the network seem to show any indication of compromise, but again this one in particular is slightly less secure for the sharing of the printer. Any additional information is much appreciated. Thanks... Hopefully I'll be able to put the pieces together. ----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
Current thread:
- Re: They got me!!!, (continued)
- Re: They got me!!! Valdis . Kletnieks (Apr 06)
- RE: They got me!!! David Gillett (Apr 06)
- RE: They got me!!! Terry Vernon (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Jamie Riden (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Colin Copley (Apr 06)
- RE: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! john . fellers (Apr 06)
- Re: Re: They got me!!! pentesticle (Apr 06)
- RE: Re: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! Eliah Kagan (Apr 06)