Firewall Wizards: Re: Help, some one's hacked into my home computer

["Andrew Fessler" <Andrew () allegro net>]

Those files to my recollection are always there.

Do this.

Go to Run and run regedit

then go to
hkey_local_machine\software\microsoft\windows\currentversion\runservices

Look for an unusually listed program here. Default name for back
orfice is bo.exe. Although I highly doubt that it has that name here.
Then look in your windows\system directory for all of these files
listed, if your lucky, you will find one that doesnt have an ICON,
that typically is BO.

Also look for I think its call windll.dll in your windows system
directory. This is another sign of BO.

If you are running the MS PWS, disable Frontpage extensions. It is
too easy to  upload BO to the cgi-bin directory and then use a web
browser to call it which then installs the program since cgi-bin has
execute rights.

Andrew
Allegro



> > > Denise Lucas <denise_lucas () yahoo com> 5/13/99 11:51:27 PM >>>
i'm on a cable modem, i run back officer friendly,
stepped away from the desktop for a few hours, came
back and saw the alerts.  I've done a find on all the
files changed today and compared them with the times
that they were on.  I'm stumped on what to do next. 
This is happening right now, realtime.  Can anybody
please respond.
Machine is an AST Manhattan Commerce Pro
Pentium Pro running 
Windows 95

It looks like they ftp'd some files called
ffastun.ffl, ffastun0.ffx, ffastun.ffo, ffastun.ffa
and made some changes to system files.

Any suggestions, please, please call me.

Thanks,

Denise
===

When you have eliminated the impossible, whatever remains, however
improbable, must be the truth.

Sir Arthur Conan Doyle
_________________________________________________________
Do You Yahoo!?
Free instant messaging and more at http://messenger.yahoo.com