Security Experts – how do I hack the hacker? (1 Viewer)

[Mary M S]

I have a hacker. I also have XP-home (on this computer) Nortons AV 2002, all MS security patches up to a month ago, (except for SP2) which the hacker loaded for me….thanks dude, (guess he felt I needed it), run Adaware and recently SpyBot S&D.

I have the XP firewall on, the Nortons FW.

Any suggested reading, regarding how to [become] a hacker? I assume that that level of expertise is what I need to be able to ever effectively, combat all the repeated intrusions.

 

[Kimmo Jaskari]

If you have an intruder in your system already, you pretty much should immediately physically sever the Internet connection by unplugging your machine from the Net, then reformat your hard drive completely and reinstall Windows from scratch.

Nothing short of that will give you a sporting chance of getting rid of the infestation permanently. With the rootkits etc out there, your machine can look perfectly clean even to an expert while still having any amount of nasty critters in it.

After reinstallation, you somehow need to patch your machine with SP2 before you ever reconnect your Internet connection. Get it on CD. You can order it from Microsoft but that will take weeks; an easier way is to have a friend download it from Microsoft and burn it onto a CD for you.

Once you get that done, you can (after activating the firewall in XP!) connect your computer to the Net again and go to windowsupdate to grab the remaining patches and then install whatever software you want - all from CD's or by re-downloading it.

Under no circumstances preserve any program files from the old install; basically, your computer should be considered a plague carrier and be handled with tongs while wearing gloves...

If you have old data you must save from the machine (mp3's, word- or other office documents, etc) you have to carefully do that without ever booting the computer from the installed XP. One way to do that might be to get your service-pack-cd-burning friend to burn another CD, this one with a "Linux Live CD", a Linux CD you can boot from and run without installing anything on the hard drive. Here's a list... Knoppix is probably the most well-known variant:

http://www.frozentech.com/content/livecd.php

A Knoppix live CD will give you a graphical user interface that should be fairly easily navigated and allow you copy data off the machine, either via floppy disks or by connecting the computer to another computer via a local area network.

Lots of work; not easy to do for anyone who isn't very comfortable around computers... you may in fact want to find an expert to help you out.

On the opposite side of the equation... all that is required to breach virtually any Windows installation out there is that the user runs just one downloaded program with a trojan attached to it. After that, the machine can be wide open and ripe for the taking regardless of firewalls, anti-virus products etc. Ick.

Good luck with your uninvited guest.

 

[Greg*go]

What makes you think you have been hacked? Just the fact that you now have SP2? It seems weird that a hacker would install a security update for you. BTW, by not having SP2 installed, you have not been able to download most of the other Microsoft updates that came after SP2 which you to have that update installed first.


Kimmo gave great instructions on the best way to get rid of a hacker. I only have 1 other suggestion. If you have a router, I would go into the router settings, and disconnect, then reestablish an internet connection, which should change your IP address.

 

[KenLeBlanc]

and if you don't have a router and you worried about hackers... Get one ! You can get one cheap these days. Linksys and D-link make good ones. You can even get a wireless router and tinker with that if you're interested. A little more complicated to lock down but not too bad. You can lock it down so that only the computers you want can access the internet. (MAC filter) or you can use the WEP encryption.

Good luck.

 

[Mary M S]

just one downloaded program with a trojan attached to it.

this has recently come to my attention…via some surfing that all AV programs appear to be weak at preventing Trojans. Any recommends for a program geared towards this breach?

I will print your instructions, gather up (again) wipe old computers purchase a new one to start back with et all. Before I take myself off-line and computerless. Since I did have all but SP2 up and running, I wanted a tutorial on how to keep this from happening again. I am getting so frustrated with the intrusions both innocuous and nefarious, that I am about determined to spend the rest of my life learning how to hack…so that I can see them coming.

What makes you think you have been hacked

I have become highly suspicious of all files on my computer having had various problems (one of my own creation) in last years. If I see anything I don’t understand I go to digging, I still don’t understand it (when I dig) and often many files which worry me, appearing odd looking/acting seem to be tied to bundled legitimant, services/ programs. (sometimes I delete them then find I need them back).

I don’t remember what clued me, to dig this last week, something…just had that feeling, I went into my Norton’s 2002 to see if I had a function to close all ports other than 80, and whatever others I could try to document are ports commonly used for legitimate traffic. All I found was the ability to "monitor" ports, with a slim list included by default in Norton’s. From here I attempted to understand/ interpret the “status’ screen on Norton’s FW. Suddenly realized that the reason most of the information did not make any sense (to me….illiterate computer user) was that the Colum’s were closed down so narrow I was only seeing the first couple of letters of any info in any column. Clicking left/right didn’t seem to enable any properties that made sense….only allowed (in one screen) a right click (terminate this connection?) I hit yes…it told me I was not allowed to terminate connection. From here I stumbled upon opening up the column width, which as I asked to terminate each connection in one mointering screen; gave me a port #. Wrote them down, added them to Norton’s monitor list. Suddenly after this action, I see traffic logged I had never seen Local host to local host, which also looked suspicious. I in turn wrote down more ports, accessed via the new log I was seeing and added them into the Norton’s list. I then began to see a log activity with unreconized URL addresses. Typed the address’s in Google, to see what sites had been visited, and found someone has been surfing countless sites I have never browsed.

Mainly computer related sites, examples: The Wisconsin Correspondence School for computing courses, etc and many/many of like ilk. He has been several times to a legitimant MS download sites for Active X script and web sever, control downloads.

I picture my little buddy….you hoopla headed, and ****sucking son of a @#$#* (amazing my vocabulary increase watching “Deadwood”), as male, young, and mainly using my system for some free DSL surfing time.

As I looked around when realizing this startlingly turn of events, - in add/remove programs this ummmm person of interest (to me) has seemingly adjusted my system to his personal preferences. I did not download SP2, yet I have new Hot Fixes listed with an SP2 extension. My firewalls had been turned off, ect…
I also had Norton’s “Ghost” appearing, which is not in this Norton’s suite. Trying to track the ports talking, where I surf seems to be mirrored in bytes/sent/received to the range of # 3000 ports he is using heavily.

Since he can see me….
Dear Sir,

“Like anyone would be
I am flattered by your fascination with me (or my DSL)

Must be strangely exciting
To watch the stoic squirm,
[but I hope its somewhat disappointing]
to watch Shepard meet Shepard.

Because you, you’re not allowed.
your uninvited"

your hours are numbered, if I have any choice in the matter.
I am pulling bios batteries and all………


…before I pull the plug on myself, any recommended reading on this topic? The normal average range of safeguards have failed, (or myself in their setup).

I have a router..my husband assures me (he's the hardware guy) it should have a builtin firewall, I'm more software side of the team (barely) without understanding it. God ...more to learn...and so little time......

 

[Greg*go]

Mary, do you have a router? If so, is it wireless? If not then this statement:


Could not be true unless he has his own DSL connectoin. In other words, if he's hacking your system from his dial-up PC, then his internet connection is still only dial-up speed. So if he has DSL or Cable, he wouldn't be using your connection for the free DSL connection, he/she should be using it for malicious reasons. It's weird that he appears to be doing regular surfing after hacking you. Maybe he just wanted to see if he could do it. Are you the only one that has access to your PC?


And since you have SP2 installed right now, you might as well download the Microsoft® Windows AntiSpyware (Beta) (SP2 is required for you to use it). It has found trojans on 2 of my friends PCs, one of them having Norton Corporate all ready installed.

 

[Greg*go]

And I know this isn't related to your circumstance, but I just read this at /. ...

On Tuesday, April 12, Microsoft will turn off the blocking feature that has made it possible for some enterprises to block Windows XP Service Pack 2 downloads by employees who use Automatic Update.

Isn't that interesting?

 

[Kimmo Jaskari]

Disconnecting a router/firewall and then reconnecting it may indeed give you a new IP address if your ISP is serving them out via DHCP, but that won't help much against a trojan that "calls home" if it has already installed itself. That is how you can bypass firewalls; you have a program that the user runs and that installs itself and calls out through the firewall rather than opening up access from the outside in. A router can help with blocking a direct attack launched from the outside, but it isn't a "silver bullet"; it does little to prevent really sneaky attacks.

The fact is, unfortunately, that on todays Internet, it is way too easy to get infected and way too difficult to clean it up if you do. That's no reason to get too worked up about it, but a little vigilance goes a long way.

The problem is more acute on Windows machines, not because Windows is necessarily substantially more buggy than, say, Linux but because Windows users often have full privileges on their computer. That is very rarely the case for people who run Linux, they only use full privileges when they need to... usually.

 

[SethH]

I would suggest you search for, download, and run Hijack This. It's a program that removes rogue programs from your computer. Read up on the program before using it though, because if you delete some things that show up you could render your computer useless.

The program produces a log file which you post to a forum at the website you download the program from. Users there will analyze your log for you.

 

[Christian Behrens]

If you want to find out how these nasty little things can infest your computer, read this:
Follow the Bouncing Malware

As usual, Internet Explorer is THE main culprit in letting uninvited guests on your system.

It cannot be stressed enough, use something else for browsing, for example Firefox or Opera.

-Christian

 

[Scott Merryfield]

Lots of great suggestions have been made. I will add another -- instead of using the built-in firewall within XP, use ZoneAlarm on your PC in conjunction with an external router/firewall. ZoneAlarm will alert you whenever a new application attempts to access the Internet and gives you the ability to allow or deny the attempt (either for that session or permanently). This will alert you to any unknown application running on your PC, and allow you to prevent it from "phoning home".

 

[Vader]

I am by no means an expert, but the best $40.00 I ever spent on security software is BOClean (www.nsclean.com). It is a small, memroy resident program (tiny memory footprint) that does much more than a file scanner, like Norton. You can rename files to hide from a file scaner, but you cannot change your memory signiture (kinda like "cyber-DNA"). Using known signitures, BOClean scans memory looking for something attempting to run. It then stops the trojan dead, and removes it from your HD (no reboot required). Lifetime support and all upgrades are part of the original price, so none of this yearly subscription nonsense. Best of all, the support is phenomenal, and trojan signatures are updated at least every day (many times two or three times/day).... I don't think these people sleep!

And, no.... I am not getting a commission; I just love sleeping well at night, and cannot recommend it high enough! I also use a third party virus scanner and firewall (nothing can catch everything, but this gives me several layers of defense). Good luck!

 

[Scott L]

Am I the only one who doesn't think Mary was hacked? A hacker installing Windows updates and using the DSL connection??

 

[Kimmo Jaskari]

Could be either way, really. Impossible to tell based on what has been said so far.

The concept of a "benevolent hacker" isn't impossible at all, in fact the word "hacker" is itself a positive thing... it's just been corrupted into meaning something else over time.

Anyway, no harm in reinstalling the machine if the disruption isn't unacceptable.

Found a new interesting program today, a beta admittedly, over at F-Secure. They call it Blacklight, and it is a program that detects so called "rootkits" - ie programs used to invisibly take control over a computer.

Free download, if anyone wants to give it a whirl, here:

http://www.f-secure.com/blacklight/try.shtml

 

[DaveF]

Are you sure it isn't a family member? Or a child's friend?

As for unknown websites in your logs: would all the sites of advertisers in the sites you actively visit be logged? Just HTF pulls content from a myriad of sites, which would look odd in logfile.

 

[Greg*go]

That is all exactly what I was thinking Dave.

Mary, just don't reformat your PC unless you either do it regularly (I have a habit of doing it at least once a year) Or if you are 100% sure an unwanted intruder is accessing your PC and isn't doing so via your own keyboard and mouse!

 

[Mary M S]

You guys (I am sure) know more than me, something even weirder crossed my mind, which I dropped as unlikely/impossible.

I just endured a huge battle with SBC over my DSL, when they fraudulently migrated my Grandfathered account into Yahoo, during this time (3 weeks) they became insistent (using different reasons. – and over the weeks becoming so aggressive, it became bizarre) that they had to have my personal password on the account, I consitantly refused, stating I assume as the account provider they had access to it through in-house channels if they needed it. One of the issues they stated they could not resolve without me turning over my password was to get the Yahoo web site, to recognize my account and let me change my password to ‘my choice’. Via the new Yahoo server, I was not allowed to change my password via the web, I could only access a phone line request which changed the password for me, assigning me one, by computer, which process I did not want to use. When the issue first came up Level 2 techs stated the Yahoo sever was seeing me as dialup?!!! This they would and could fix within 24 hrs. Then the higher levels who stated they were working on revoking the migration, having had no luck getting my password out of me, (for other reasons) stated, they will not fix the password issue, unless you submit your password. During this period at times; various SBC departments were calling me 3 times a day. I started watching my password closely, and had quit using my DSL line (which they knew). One night I checked it and my password had been changed!! (I did not change it). My only option without letting them know the change verbally was to call the computer assigned password system, which I did. I called a tech asked him to check my account and the password change was not logged in the system, (all my password changes via phone help computer assigned would be).

The tech told me no record of a change (the night my account would not recognize me) and that it was illegal for SBC to do so?!!!

Whatever all this means, someone changed the password, and no one at SBC would admit to doing so. But it was not ME.

Now one, I had SBC really riled up, (this made me paranoid) 2, with what I have found now, if I was hacked before the “war”, my DSL could???? Be tied to dialup via the hacker? Thus the Yahoo server’s issues with ‘seeing’ my DSL account as dialup??

Really paranoid (I admit it), I have been trying to up to highest levels, my FW’s . notifications, warning etc, from average to high settings, Everything I could think of while still currently using SBC (for a little while longer). Meantime after raising these levels, strange things caught my attention, which caused me to attempt to research if I could close ports, I was looking for a range parameter where I could close them all, figure out (besides 80) which I might need and only allow those. When I added the ports I saw the strange logs for to Norton’s “monitor/apply rules…to listed ports”

That’s when I came up with the web addresses, they are logged during the same times I am online. I thought about the point mentioned. Could be I’m uncovering advertisers tied to sites I have visited. For a second I thought yes, because one site popping up is “Vibrant Media” a site I associate with spy ware; many are computer (courses/training) sites. But here is tiny sample list, of 3 pages worth I checked out logged all on one day. These just don’t seem to match, log of all background activities occurring via advertisers tied to legitimate sites. I will put spaces after the periods, don’t want a link created.

The prime example would be A family called “The Cheramie Family” who have a son listed at their personal web page, (Hi Daniel, if its you!) with his own computer tab.
24. 93. 164. 234

A site that looks like someone is trying to test setting up web pages, it says “Hello World” on a blank screen: 209. 120. 239. 59 and
65. 110. 40. 130

Lots of Photobucket visits: 38. 116. 157. 132

Computer schools like: 128. 104. 22. 48

Several sites I am not ‘authorized’ to enter.
One address was a server at usbansrvst Port 80. address: 66. 150. 87. 2
Example of one of the Microsoft site’s visited, I have never broused:
207. 46. 196. 10

What do you think?
sorry not editing too much the Transparent Proxy Sever error lives popping up on my screen, since I mointered these ports..... that alone cannot be lived with...makes it impossible to type, edit etc.
Regarding: Are you sure it isn't a family member? Or a child's friend? Absolutly not: although others have light access occasionly here. I am tracking this while I am home alone.
I would still be blissfuly unaware, if I had not upped my Firewall to notify everything. Noticed some odd things and started mointering ports. My surf speed had not changed popups had not increased etc. Since adding these ports (with the activity) to be moinited, then I see the traffic, and now have the Transparent Proxy Server error screen loading every few seconds. Since then have found files added, Ghost etc. (I DO NOT OWN) By the way Ghost did not show up in my file search, prior to mointering these ports, and deleting a couple of files I was sure were not mine. I just don't have the expertise to trace the computer, or find all the root locations.