RE: Windows 98 box is 'owned'

["Randy Williams" <randyw () techsource com>]

Greetings Darren,

This is a common problem to say the least; there are a couple of things that
you could do that could help out your Mother.

1)  Complete re-install of the OS with the addition of both a software
firewall (ZoneAlarm) and a Hardware Firewall (Linksys, Dlink, etc).

2)  Clean the system with Adaware, Spybot - Search & Destroy, the A/V of
your choice, fully patch the OS, install a good software firewall, and spend
some time showing your Mom some basic computing tips.  Then, if that fails,
install the hardware firewall for her and see how it goes.

Without constant monitoring though, the PC WILL become infected again, it's
just a matter of time.

RandyW

-----Original Message-----
From: Darren Kirby [mailto:bulliver () badcomputer no-ip com]
Sent: Wednesday, September 29, 2004 11:04 PM
To: security-basics () securityfocus com
Subject: Windows 98 box is 'owned'

Hello all,

I am writing this on behalf of my Mom. She was complaining that her computer

was sluggish, and that her HD space was getting used up faster than it
should. So I went over and fired up my trusty Linux live cd and had a look.

Anyway, I found a directory right in C: named 'Downloads', and inside were
about 50 or so files, which were all warez, porn, windows exploits and
cracker 'howto's. Quite obviously this computer is owned, and is being used
as a warez server. I deleted the files, booted win, but they reappeared
after
about 10 minutes. The strange thing is that these files are ALL 29k, and all

have filenames like:

Adobe Photoshop crack.exe
Smashing the Stack.txt.exe
Eminem - full album.mp3.exe
Office 2003 full.exe
...
On further inspection I found an identical directory at
C:/windows/Downloaded
Program Files/. God only knows how many trojans and other nasties are
sprinkled around...

So I yanked the power cord out of her adsl modem, and told her not to plug
it
back in unless she was checking her mail. Bad advice for sure, but try
telling your mom that her computer is rooted by punk kids and it is too
cracked to have safe internet access at all. Seems that a complete OS
reinstall is in order, but it seems to me that if they can own her box once
they can own it again just as easy, which leads me to this list...I would
like to try some investigating, and try to figure out where the backdoor is,

what exactly they are doing...and of course how to prevent it.

Some background on myself...I am a Linux sysadmin, and have a great deal of
experience with UNIX operating systems...however, I have never run a windows

box, and have only used one in the 'point-and-drool' sort of way. So I
really
know nothing of how the underlying OS works (or doesn't...).

So I guess I am just asking for some opinions of the situation, and perhaps
some links to docs about this type of attack, and how to prevent it. Also,
any software along the lines of chkrootkit or other forensic tools, but for
windows would be a big help.

TIA
-d
--
Part of the problem since 1976
http://badcomputer.no-ip.com
Get my public key from
http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972