Re: Windows 98 box is 'owned'

[GuidoZ <uberguidoz () gmail com>]

> For forensic tools, I would look at Sysinternals' (http://www.sysinternals.com/ntw2k/utilities.shtml) "RegMon", and 
> FileMon.

Just a quick note - the link Paul gave was for the Windows NT/2000/XP
tools. Being you're running Windows 98, try here instead:
http://www.sysinternals.com/win9x/98utilities.shtml

I would also like to touch on McAfee. I'm not a big fan of it at
all... after running a repair shop for 4 years and seeing the amount
of software conflicts it caused, I cringe when I see it on a machine.
Norton is better, though all the above are resource hogs and leave a
large footprint on the machine. Check out the free version of AVG if
you're just looking for minimal protection, or try NOD32 for those who
could use something like Norton/McAfee.

As for firewall, ZoneAlarm isn't bad at all. It's free and doesn the
job pretty well. Another nice one is Kerio which also has a free
version available. My personal fav is Sygate, although it isn't free
(beyond a trial).

--
Peace. ~G


On Thu, 30 Sep 2004 19:35:11 -0400, Paul Kurczaba <paul () myipis com> wrote:
> We had a client who had a similiar issue. We ran McAfee's stand-alone tool "Stinger", and found that the files "Adobe 
> Photoshop crack.exe", "Smashing the Stack.txt.exe", and similair were copies of a virus/worm running on the system. 
> Stinger was able to remove the virus. Your Mom's computer was probably running slow because it was sending out a 
> million copies of the virus.
>
> The following is a link to McAfee's Stinger tool: http://vil.nai.com/vil/stinger/. Note that Stinger is not a full 
> anti-virus scanner. It just identifies and removes the real nasty and high volume worms/viruses. For complete, 
> "on-access" protection, I recommend McAfee/Network Associates' VirusScan Enterprise. The copies of McAfee VirusScan 
> that you would buy at CompUSA or Best Buy, require you to pay a $20 yearly subscription fee. The Enterprise version 
> of VirusScan, available at www.nai.com, comes with an optional perpetutal subscription, which lasts forever :)
>
> For forensic tools, I would look at Sysinternals' (http://www.sysinternals.com/ntw2k/utilities.shtml) "RegMon", and 
> FileMon.
>
> I would also install ZoneLabs ZoneAlarm firewall (www.zonelabs.com).
>
> -Paul
>
>
>
> ----- Original Message -----
> From: Darren Kirby <bulliver () badcomputer no-ip com>
> To: security-basics () securityfocus com
> Sent: Wed, 29 Sep 2004 23:03:49 -0400
> Subject: Windows 98 box is 'owned'
>
> > Hello all,
> >
> > I am writing this on behalf of my Mom. She was complaining that her computer
> > was sluggish, and that her HD space was getting used up faster than it
> > should. So I went over and fired up my trusty Linux live cd and had a look.
> >
> > Anyway, I found a directory right in C: named 'Downloads', and inside were
> > about 50 or so files, which were all warez, porn, windows exploits and
> > cracker 'howto's. Quite obviously this computer is owned, and is being used
> > as a warez server. I deleted the files, booted win, but they reappeared after
> > about 10 minutes. The strange thing is that these files are ALL 29k, and all
> > have filenames like:
> >
> > Adobe Photoshop crack.exe
> > Smashing the Stack.txt.exe
> > Eminem - full album.mp3.exe
> > Office 2003 full.exe
> > ...
> > On further inspection I found an identical directory at C:/windows/Downloaded
> > Program Files/. God only knows how many trojans and other nasties are
> > sprinkled around...
> >
> > So I yanked the power cord out of her adsl modem, and told her not to plug it
> > back in unless she was checking her mail. Bad advice for sure, but try
> > telling your mom that her computer is rooted by punk kids and it is too
> > cracked to have safe internet access at all. Seems that a complete OS
> > reinstall is in order, but it seems to me that if they can own her box once
> > they can own it again just as easy, which leads me to this list...I would
> > like to try some investigating, and try to figure out where the backdoor is,
> > what exactly they are doing...and of course how to prevent it.
> >
> > Some background on myself...I am a Linux sysadmin, and have a great deal of
> > experience with UNIX operating systems...however, I have never run a windows
> > box, and have only used one in the 'point-and-drool' sort of way. So I really
> > know nothing of how the underlying OS works (or doesn't...).
> >
> > So I guess I am just asking for some opinions of the situation, and perhaps
> > some links to docs about this type of attack, and how to prevent it. Also,
> > any software along the lines of chkrootkit or other forensic tools, but for
> > windows would be a big help.
> >
> > TIA
> > -d
> > --
> > Part of the problem since 1976
> > http://badcomputer.no-ip.com
> > Get my public key from
> > http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
> > "...the number of UNIX installations has grown to 10, with more expected..."
> > - Dennis Ritchie and Ken Thompson, June 1972