XP PRO Hack Attack--How?

This is probably not the correct newsgroup, but I'll take a chance. I left one of my computers in the DMZ the other day accidentally. I use a Linksys router connected to a cablemodem. The Linksys is setup for home use, and has

3 computers and a printer connected to it. Somehow, a hacker disabled my AntiVir AV software on the PC that was in the DMZ, setup a rule in Zone Alarm to allow rogue lsass.exe and svchost.exe programs full access to everything, created a folder called C:\\RECYCLED, and ran a script to set up Serv-U FTP Server listening on port 444 and 43958. There is an entry in the Serv-U ini file called [USER=wonderland|1]. I had just happened to waltz into the computer room and saw a DOS box executing scripts and thought, 'that can't be right'. So I immediately unplugged the PC from the network and started doing some digging. The above is what I found. My question is, how in the world did someone find me on the Internet and get all that accomplished?

After backing up my hard drive to an image file and later scrubbing the suspected Trojan, I took the RECYCLED folder from my backed up image and copied it to a VMWARE image to see what it did, and to see if the hacker would come back. I put the VMWARE machine's IP address in the DMZ. The virus program ran a setup batch file, then an info program that somehow scanned the local hard drives on the host pc and reported their size and free space in a text file in C:\\RECYCLED on the VMWARE machine. That concerned me as the VMWARE machine was bridging into my actual PC. So, not knowing what I was doing, I shut it all down, deleted the VMWARE image, and disabled the DMZ and all port forwarding on my router. I don't have any of my hard drives shared, other than the Admin shares XP creates which I know little about and really don't understand how to get rid of. There are only two user accounts, both have administrator rights and unique passwords. The guest account is disabled. I would like to hear explanations on how all that stuff happened, and with the router back in action, whether or not anyone thinks it can happen again. Thanks!

RD

Reply to
RD
Loading thread data ...

Den Tue, 11 Dec 2007 09:25:35 -0500 skrev RD:

It is.

Accidentally..? hm... You played along a little wasn't you. ;-)

I don't believe there was a physical human behind the attack, most certainly a program that was making what was necessarily to get you're PC in to some sort of an boot-net (spam is probably the game here).

Yes it can happen again, don't put a machine in the DMZ with out an proper firewall that can lock that machine down to a minimum of services and don't run anything but what ever you absolutely need on an machine in the DMZ zone. My advise is that you flatten and rebuild that machine before you put it on you're LAN again.

/Anders

Reply to
anders

They have scanning programs to scan IP(s) to check for O/S finger prints and a vulnerable computer. They found your computer and took it over in the DMZ. If the computer is sitting in the DMZ and not locked down or harden to attack, like running with an Admin account, Windows File and Print Sharing ports enable, which the F&PS ports were most likely open on ZA too, then the machine can be attacked. They most likely planted a remote control program on the computer to take control of it.

Keep the computer out of the DMZ.

formatting link
Harden the O/S to attack as much as possible.

formatting link
formatting link
And sure it can happen again if safe hex computing practices are not implemented, with happy fingers clicking on everything under the Sun.

formatting link

Reply to
Mr. Arnold

A little more digging reveals that the software that was placed on the machine was indeed an FTP server. The lsass.exe and svchost.exe were renamed program files for Serv-U. Apparently, ZA doesn't check file integrity in its automatic rule setup, just the filename? At any rate, the Trojan (BDS/Iroffer.13b9.1 [BDS/Iroffer.13b9.1] according to AntiVir) apparently sets up this server for others to use as a repository to upload and download files from the Net. This is the most clever thing I have ever seen, and I would really like to know if anyone can explain in detail how it was deployed on my machine. I cannot understand how it passed through ZA to begin with. The only thing I can tie it to is my leaving the machine in the DMZ, and possibly a site for an online Taipei game that a member of my family visited. The new Windows Live Messenger might also be suspect as that whole program looks like a security breach.

RD

Reply to
RD

As you already wrote: You have installed ZoneAlarm. It's trivial to exploit one of the many known unpatched vulnerabilities.

Why would you care? After all, you did this fully intentionally.

Reply to
Sebastian G.

You're a hard, unsympathetic man, Seb!

Jim Ford

Reply to
Jim Ford

Den Tue, 11 Dec 2007 11:49:18 -0500 skrev RD:

snipet

formatting link
on the link: "2. Common Backdoor Programs Hackers And Pranksters Use" there is little info on what kind of programs that can be used to create an backdoor to a PC.

There is normal to install some sort of an FTP and later on use it for up/ downloading files. The backdoor making it possible to install anything necessary including the phone home function so they don't have to care if there is a firewall or not. The cracker is mostly not interested in what you have on the computer, he/ she is more interested in using you're computers capacity. Some is in to create a machine that send out spam (spam boot) other aim to use you're HD to hide illegal files (pornographic pictures of children) and so on. It's normal to install some program that can, and will, try to find other computers in the 'neighborhood', eg, in you're case the other two PC's on you're LAN. If you now what has been installed and been changed then you can remove and clean up the PC but for you to be sure to trust that PC for the future than flatten and rebuild is the only thing to do.

Mr. Arnold has provided you with some links they are probably informative (I don't now, haven't checked them out)

/Anders

Reply to
anders

To put it in context, the 'whether or not anyone thinks it can happen again.' was preceded by '...with the router back in action..' meaning with DMZ disabled in the router. FWIW, the reason I put the PC into the DMZ was to make all the functions of Netmeeting work properly to help a friend troubleshoot his computer. I find port forwarding for Netmeeting a PITA. And I think it is obvious that leaving the PC in the DMZ was my mistake. I'm not sure where you were driving to with your reply. I didn't pick up anything useful from it.

Reply to
RD

And why should this make a difference? A router is not a security measure, and aside from triggering connections client-side many NAT implementation can also be triggered to forward data packets solely from the outside.

Reply to
Sebastian G.

That's your problem right there is that you had to put the computer into the so called DMZ on the router in order to get Netmeeting to work, which I'll assume you were doing the video stuff with Netmeeting. Netmeeting uses some kind of protocol that uses the high ports on the router ports > 1023. There are routers that work with that protocol and Netmeeting so that one doesn't have to put the computer into the DMZ to use Netmeeting. I don't know the protocol name or which routers work with Netmeeting. You'll have to do your research.

Reply to
Mr. Arnold

No. It was not a mistake to leave the PC in the DMZ. It was a mistake to put it into the DMZ in the beginning. That's the real problem. Why do you believe the problem would only occur if you did this a certain amount of limited time? Your public IP address is scanned frequently, randomly all the time. The very moment you have put the computer into the DMZ you were vulnerable. It may well be that the infection happened right that moment. Don't play statistics and say I am more secure if I put the computer into the DMZ for an hour only instead of putting it into the DMZ for 5 hours.

Never put a computer into a DMZ which is not fully secured.

It is kind of like those people with computers directly in the internet which turn off their firewall as first troubleshooting step for a any kind of internet/networking related issue. If you did not shutdown all the network services on the computer you are vulnerable even if the firewall is only down for 5 minutes. But by the rate IP addresses are scanned nowadays 5 minutes or even 1 minute can be enough...

Open a command prompt window on a computer of yours. Enter "netstat - an'. Look at all the TCP lines in "LISTENING" and all the UDP lines. All those lines are open ports, i.e. services running behind them. A few of them are only bound to 127.0.0.1 which is not accessible except from the computer itself. The rest is open to internet unless otherwise firewalled. If you like, post the full netstat output.

Gerald

Reply to
Gerald Vogt

The protocol is H.32X, a well standardized ITU.T protocol family.

Reply to
Sebastian G.

I would assume that the machine has been completely compromised and would plan on doing a complete clean rebuild. More than likely your machine was compromised with a known/unknown windows vulnerability, which gave the attacker full system privlidges. Shutting down antivirus/firewalls is trivial with full system access. Normally a simple 'net stop' command will disable both. The attacker then most likely installed backdoors/Serv-U at this stage. He/She also probably dumped and cracked your Windows passwords, again not difficult to do. A good tip is to ensure Windows passwords are a minumum of 15 letters. It is not safe to assume that an Antivirus will detect any of these backdoors and you're lucky it detected the serv-u even. As stated previously the hacker is most likely not interested in your personal files, but more interested in using your machine to:

(a) Send spam (b) Scan for more vulnerable machines (c)Host warez

Best of luck with your problem

Carmen

Reply to
carmen.dlf

Why bothering with guessing? He ran ZoneAlarm, this already gives a known vulnerable privileged service.

Reply to
Sebastian G.

Without knowledge of your setup it really is a game of guess work. Why is the only entry point the DMZ? Are you networked? What kind of software (besides Messenger) do you run that could be vulnerable to worms? What services do you have enabled? What kind of sites do you visit, what's your default browser? How updated is your OS? How is ZA configured, are there security advisories for ZA, is it UPNP compatible? Who else uses your computer and what is their knowledge of security? I could go on and on...

I didn't see a single info addressing these points so what you're going to get in response is a bunch of guesses. If you want to do investigative work on your PC, start off by looking at the compromised file's timestamp. It *may* offer some insight as to the time when you were breached and either corroborate your DMZ suspicion or point to something else you were doing at the time. My *guess* is that it hadn't anything to do with DMZ; striking an attack head-on to a firewall (ZA in your case) is harder to do and frankly there are so many other vulnerable components/computers that it's not worth the hackers effort. He can do it through much easier means and there are easier targets.

But honestly, in the end you are not going to get any significant knowledge other than "anything can be breached". 0day threats are appearing all the time, some don't rely on ANY user intervention, rootkit technology is developing, hackers are deviating efforts to other components besides the OS (drivers, PDF and other multimedia files, and even security apps-YES!). Firewalls are far from being a panacea.

The single most important knowledge I would take from your incident is never to rely on ANY security setup. Firewalls, as many on this board will tell you, are not infallible and to some are even useless. The important is to practice safe HEX, keep your security measures up to date and know that even though you do everything by the book you may still one day get infected. Which is why a good backup strategy should always be part of your security solution.

Reply to
Shark

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.