|
Posted by RD on December 11, 2007, 11:49 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Den Tue, 11 Dec 2007 09:25:35 -0500 skrev RD:
>
>> This is probably not the correct newsgroup, but I'll take a chance.
>
> It is.
>
>> I left one of my computers in the DMZ the other day accidentally.
>
> Accidentally..? hm... You played along a little wasn't you. ;-)
>
>> I use a Linksys router connected to a cablemodem. The Linksys is setup
> for home
>> use, and has 3 computers and a printer connected to it. Somehow, a
>> hacker disabled my AntiVir AV software on the PC that was in the DMZ,
>> setup a rule in Zone Alarm to allow rogue lsass.exe and svchost.exe
>> programs full access to everything, created a folder called C:\RECYCLED,
>> and ran a script to set up Serv-U FTP Server listening on port 444 and
>> 43958. There is an entry in the Serv-U ini file called
>> [USER=wonderland|1]. I had just happened to waltz into the computer room
>> and saw a DOS box executing scripts and thought, 'that can't be right'.
>> So I immediately unplugged the PC from the network and started doing
>> some digging. The above is what I found. My question is, how in the
>> world did someone find me on the Internet and get all that accomplished?
>
> I don't believe there was a physical human behind the attack, most
> certainly a program that was making what was necessarily to get you're PC
> in to some sort of an boot-net (spam is probably the game here).
>
>> After backing up my hard drive to an image file and later scrubbing the
>> suspected Trojan, I took the RECYCLED folder from my backed up image and
>> copied it to a VMWARE image to see what it did, and to see if the hacker
>> would come back. I put the VMWARE machine's IP address in the DMZ. The
>> virus program ran a setup batch file, then an info program that somehow
>> scanned the local hard drives on the host pc and reported their size and
>> free space in a text file in C:\RECYCLED on the VMWARE machine. That
>> concerned me as the VMWARE machine was bridging into my actual PC. So,
>> not knowing what I was doing, I shut it all down, deleted the VMWARE
>> image, and disabled the DMZ and all port forwarding on my router. I
>> don't have any of my hard drives shared, other than the Admin shares XP
>> creates which I know little about and really don't understand how to get
>> rid of. There are only two user accounts, both have administrator rights
>> and unique passwords. The guest account is disabled. I would like to
>> hear explanations on how all that stuff happened, and with the router
>> back in action, whether or not anyone thinks it can happen again.
>> Thanks!
>>
>> RD
>
> Yes it can happen again, don't put a machine in the DMZ with out an
> proper firewall that can lock that machine down to a minimum of services
> and don't run anything but what ever you absolutely need on an machine in
> the DMZ zone.
> My advise is that you flatten and rebuild that machine before you put it
> on you're LAN again.
>
> /Anders
A little more digging reveals that the software that was placed on the
machine was indeed an FTP server. The lsass.exe and svchost.exe were renamed
program files for Serv-U. Apparently, ZA doesn't check file integrity in its
automatic rule setup, just the filename? At any rate, the Trojan
(BDS/Iroffer.13b9.1 [BDS/Iroffer.13b9.1] according to AntiVir) apparently
sets up this server for others to use as a repository to upload and download
files from the Net. This is the most clever thing I have ever seen, and I
would really like to know if anyone can explain in detail how it was
deployed on my machine. I cannot understand how it passed through ZA to
begin with. The only thing I can tie it to is my leaving the machine in the
DMZ, and possibly a site for an online Taipei game that a member of my
family visited. The new Windows Live Messenger might also be suspect as that
whole program looks like a security breach.
RD
| 
XML site map