Re: Windows 98 box is 'owned'

[GuidoZ <uberguidoz () gmail com>]

I don't have a lotof time to type (on the way out of the door), so
I'll keep this short and sweet. =) Feel free to email me questions
directly. I have 10+ years expereince with Windows with a strong
background on security. I'll try to write this keeping it simple and
mentioning utilities that don't take much time (if any at all) to
learn to use.

First thing to do - get her a personal firewall. This will at least
allow control of activity in and out. (Tell her to lock down
everything exept for her email and web browser to start with, then go
from there.) Look at ZoneAlarm or Kerio, both are free and work great.

Obviously she should have an antivirus solution as well. This may help
defer so many from coming in. Normally I'd pimp AVG since it's free
and does the job, although you'll want something a little more robust
and user friendly. I'm not too fond of the resource hogs (Norton or
McAfee), though they are easy to use. NOD32 is becoming my fav since
it's easy to use, works, and leaves a small footprint on the system
and resources. It's not too much to buy either (less then the big
boys).

Aside from that, you need to start checking the Windows Run keys
(similar to something like /home/user/.kde/Autostart) and the running
processes (like lsof and pid). There are a couple programs out there
I've found very handy for doing just that, even though I know exactly
where the Run keys are. (All of them freely available.)

Check out StartupCPL by Mike Lin
(http://www.mlin.net/StartupCPL.shtml). I'd recommend the
self-executing EXE instead of the installer. I keep it on a floppy and
carry it with me when I go onsite.

PrcView (Process Viewer - http://www.teamcti.com/pview/prcview.htm) is
another program on the same disk I carry around. You can view all the
running processes, even if they are hidden from Task Manager
(CTRL+ALT+DEL).

Those two will get you started. You may want to peek at Sysinternals
(http://www.sysinternals.com/) as well - bunch of good stuff there!
Also, Hijackthis! (http://www.tomcoyote.org/hjt/) is a nice program to
use. Google it for forusm where you can post your results and get help
going through them.

To see where things are connecting to (TCP/IP), open up a command
prompt (Start -> Run: command) and use netstat. Then use one of the
many online whois servers to find out more information.

That should give you enough to explore with. If you'd like more info,
simply ask. (Either to the list or directly). Good luck. I really have
to run now.

--
Peace. ~G


On Wed, 29 Sep 2004 20:03:49 -0700, Darren Kirby
<bulliver () badcomputer no-ip com> wrote:
> Hello all,
>
> I am writing this on behalf of my Mom. She was complaining that her computer
> was sluggish, and that her HD space was getting used up faster than it
> should. So I went over and fired up my trusty Linux live cd and had a look.
>
> Anyway, I found a directory right in C: named 'Downloads', and inside were
> about 50 or so files, which were all warez, porn, windows exploits and
> cracker 'howto's. Quite obviously this computer is owned, and is being used
> as a warez server. I deleted the files, booted win, but they reappeared after
> about 10 minutes. The strange thing is that these files are ALL 29k, and all
> have filenames like:
>
> Adobe Photoshop crack.exe
> Smashing the Stack.txt.exe
> Eminem - full album.mp3.exe
> Office 2003 full.exe
> ...
> On further inspection I found an identical directory at C:/windows/Downloaded
> Program Files/. God only knows how many trojans and other nasties are
> sprinkled around...
>
> So I yanked the power cord out of her adsl modem, and told her not to plug it
> back in unless she was checking her mail. Bad advice for sure, but try
> telling your mom that her computer is rooted by punk kids and it is too
> cracked to have safe internet access at all. Seems that a complete OS
> reinstall is in order, but it seems to me that if they can own her box once
> they can own it again just as easy, which leads me to this list...I would
> like to try some investigating, and try to figure out where the backdoor is,
> what exactly they are doing...and of course how to prevent it.
>
> Some background on myself...I am a Linux sysadmin, and have a great deal of
> experience with UNIX operating systems...however, I have never run a windows
> box, and have only used one in the 'point-and-drool' sort of way. So I really
> know nothing of how the underlying OS works (or doesn't...).
>
> So I guess I am just asking for some opinions of the situation, and perhaps
> some links to docs about this type of attack, and how to prevent it. Also,
> any software along the lines of chkrootkit or other forensic tools, but for
> windows would be a big help.
>
> TIA
> -d
> --
> Part of the problem since 1976
> http://badcomputer.no-ip.com
> Get my public key from
> http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
> "...the number of UNIX installations has grown to 10, with more expected..."
> - Dennis Ritchie and Ken Thompson, June 1972



-- 
Peace. ~G