Security Basics mailing list archives
Re: Windows 98 box is 'owned'
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 1 Oct 2004 02:03:52 +0200
On 2004-09-29 Darren Kirby wrote:
Anyway, I found a directory right in C: named 'Downloads', and inside were about 50 or so files, which were all warez, porn, windows exploits and cracker 'howto's. Quite obviously this computer is owned, and is being used as a warez server. I deleted the files, booted win, but they reappeared after about 10 minutes. The strange thing is that these files are ALL 29k, and all have filenames like: Adobe Photoshop crack.exe Smashing the Stack.txt.exe Eminem - full album.mp3.exe Office 2003 full.exe
Probably some sort of virus.
... On further inspection I found an identical directory at C:/windows/Downloaded Program Files/. God only knows how many trojans and other nasties are sprinkled around...
[...]
Seems that a complete OS reinstall is in order,
Definitely yes.
but it seems to me that if they can own her box once they can own it again just as easy, which leads me to this list...I would like to try some investigating, and try to figure out where the backdoor is, what exactly they are doing...
First you should take an image of the system (just in case). Is file and printer sharing installed and bound to the dialup-adapter? That is one route the infection may have happened. Another possible route is using IE/OE for web/mail. However, since Windows 98 doesn't produce many logs, identifying the malware may be the most promising approach. I would say a live analysis should be sufficent in your case. Use some sort of process viewer (like PrcView [1] or Process Explorer [2]) to find out, what processes are currently running. The Task-Manager won't suffice. Since you're familiar with Linux, the UnxUtils [3] may be useful as well. Use netstat or TCPView [4] to find out, if there are unusual open ports. Use Silent Runners [5] or SysInternal's autoruns [6] to take a look at what software is started automatically and from where. Feed those files to a virus scanner with most recent signatures. The scan should *not* be run from the live system. Rather copy the files to another box and scan them on that box. Running strings [7] against the files may give some additional pointers. HTH [1] http://www.teamcti.com/pview/prcview.htm [2] http://www.sysinternals.com/ntw2k/freeware/procexp.shtml [3] http://unxutils.sf.net/ [4] http://www.sysinternals.com/ntw2k/source/tcpview.shtml [5] http://www.silentrunners.org/ [6] http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml [7] http://www.sysinternals.com/ntw2k/source/misc.shtml#strings Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- Re: Windows 98 box is 'owned'; Re:, (continued)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 07)
- Re: Windows 98 box is 'owned'; Re: Glenn Sieb (Oct 08)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 08)
- Re: Windows 98 box is 'owned'; Re: xyberpix (Oct 08)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 12)
- Re: Windows 98 box is 'owned'; Re: Ansgar -59cobalt- Wiechers (Oct 08)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 12)
- Re: Windows 98 box is 'owned'; Re: Ansgar -59cobalt- Wiechers (Oct 13)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 15)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 04)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 04)
- RE: Windows 98 box is 'owned' xyberpix (Oct 07)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 08)