Security Basics: RE: Windows 98 box is 'owned'

["OTTO, DOUGLAS P." <douglas.otto () thermo com>]

There is a virus on the machine.  Just get an AV prograqm and run it on
the filesystem and marvel at the hundreds of infected files.  The virus
was an e-mail  virus. 

> -----Original Message-----
> From: Darren Kirby [mailto:bulliver () badcomputer no-ip com] 
> Sent: Wednesday, September 29, 2004 10:04 PM
> To: security-basics () securityfocus com
> Subject: Windows 98 box is 'owned'
>
>
> Hello all,
>
> I am writing this on behalf of my Mom. She was complaining 
> that her computer 
> was sluggish, and that her HD space was getting used up 
> faster than it 
> should. So I went over and fired up my trusty Linux live cd 
> and had a look.
>
> Anyway, I found a directory right in C: named 'Downloads', 
> and inside were 
> about 50 or so files, which were all warez, porn, windows 
> exploits and 
> cracker 'howto's. Quite obviously this computer is owned, and 
> is being used 
> as a warez server. I deleted the files, booted win, but they 
> reappeared after 
> about 10 minutes. The strange thing is that these files are 
> ALL 29k, and all 
> have filenames like:
>
> Adobe Photoshop crack.exe
> Smashing the Stack.txt.exe
> Eminem - full album.mp3.exe
> Office 2003 full.exe
> ...
> On further inspection I found an identical directory at 
> C:/windows/Downloaded 
> Program Files/. God only knows how many trojans and other nasties are 
> sprinkled around...
>
> So I yanked the power cord out of her adsl modem, and told 
> her not to plug it 
> back in unless she was checking her mail. Bad advice for 
> sure, but try 
> telling your mom that her computer is rooted by punk kids and 
> it is too 
> cracked to have safe internet access at all. Seems that a complete OS 
> reinstall is in order, but it seems to me that if they can 
> own her box once 
> they can own it again just as easy, which leads me to this 
> list...I would 
> like to try some investigating, and try to figure out where 
> the backdoor is, 
> what exactly they are doing...and of course how to prevent it.
>
> Some background on myself...I am a Linux sysadmin, and have a 
> great deal of 
> experience with UNIX operating systems...however, I have 
> never run a windows 
> box, and have only used one in the 'point-and-drool' sort of 
> way. So I really 
> know nothing of how the underlying OS works (or doesn't...). 
>
> So I guess I am just asking for some opinions of the 
> situation, and perhaps 
> some links to docs about this type of attack, and how to 
> prevent it. Also, 
> any software along the lines of chkrootkit or other forensic 
> tools, but for 
> windows would be a big help.
>
> TIA
> -d 
> -- 
> Part of the problem since 1976
> http://badcomputer.no-ip.com
> Get my public key from 
> http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
> "...the number of UNIX installations has grown to 10, with 
> more expected..."
> - Dennis Ritchie and Ken Thompson, June 1972