Security Basics mailing list archives
RE: Windows 98 box is 'owned'
From: "Ferruh Mavituna" <ferruh () mavituna com>
Date: Fri, 1 Oct 2004 06:55:24 +0300
Darren, This should be somekind of P2P worms, I'm sure that winbox have installed some Kazaa version (or anothe similiar client / probably a client for FastTrack network). This worms propagate themselves by P2P networks. You may try housecall online scan ( http://housecall.trendmicro.com/ ) to identify these files. Best Regards; Ferruh Mavituna http://ferruh.mavituna.com pgpkey : http://ferruh.mavituna.com/PGPKey.asc
-----Original Message----- From: Darren Kirby [mailto:bulliver () badcomputer no-ip com] Sent: Thursday, September 30, 2004 6:04 AM To: security-basics () securityfocus com Subject: Windows 98 box is 'owned' Hello all, I am writing this on behalf of my Mom. She was complaining that her
computer
was sluggish, and that her HD space was getting used up faster than it should. So I went over and fired up my trusty Linux live cd and had a
look.
Anyway, I found a directory right in C: named 'Downloads', and inside were about 50 or so files, which were all warez, porn, windows exploits and cracker 'howto's. Quite obviously this computer is owned, and is being
used
as a warez server. I deleted the files, booted win, but they reappeared
after
about 10 minutes. The strange thing is that these files are ALL 29k, and
all
have filenames like: Adobe Photoshop crack.exe Smashing the Stack.txt.exe Eminem - full album.mp3.exe Office 2003 full.exe ... On further inspection I found an identical directory at
C:/windows/Downloaded
Program Files/. God only knows how many trojans and other nasties are sprinkled around... So I yanked the power cord out of her adsl modem, and told her not to plug
it
back in unless she was checking her mail. Bad advice for sure, but try telling your mom that her computer is rooted by punk kids and it is too cracked to have safe internet access at all. Seems that a complete OS reinstall is in order, but it seems to me that if they can own her box
once
they can own it again just as easy, which leads me to this list...I would like to try some investigating, and try to figure out where the backdoor
is,
what exactly they are doing...and of course how to prevent it. Some background on myself...I am a Linux sysadmin, and have a great deal
of
experience with UNIX operating systems...however, I have never run a
windows
box, and have only used one in the 'point-and-drool' sort of way. So I
really
know nothing of how the underlying OS works (or doesn't...). So I guess I am just asking for some opinions of the situation, and
perhaps
some links to docs about this type of attack, and how to prevent it. Also, any software along the lines of chkrootkit or other forensic tools, but
for
windows would be a big help. TIA -d -- Part of the problem since 1976 http://badcomputer.no-ip.com Get my public key from http://keyserver.linux.it/pks/lookup?op=index&search=bulliver "...the number of UNIX installations has grown to 10, with more
expected..."
- Dennis Ritchie and Ken Thompson, June 1972
Current thread:
- Re: Windows 98 box is 'owned'; Re:, (continued)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 12)
- Re: Windows 98 box is 'owned'; Re: Ansgar -59cobalt- Wiechers (Oct 13)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 15)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 04)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 04)
- RE: Windows 98 box is 'owned' xyberpix (Oct 07)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 08)
- Re: Windows 98 box is 'owned' dante hicks (Oct 05)
- Re: Windows 98 box is 'owned' Darren Kirby (Oct 06)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 05)