|
Posted by on March 26, 2006, 1:01 am
If you were Registered and logged in, you could reply and use other advanced thread options
Recently, an internet cracker managed to break through my computer
defenses and introduced into it a contamination which prevented the
operating system from booting. Furthermore, the intruder also altered
the CMOS storage in a manner which prevented me from reinstalling
neither Windows-XP nor Windows-98. Only after resetting the CMOS
storage I could successfully reinstall both operating systems.
I hope that someone here can answer the following questions:
1. Which fields in the CMOS storage are the Windows installers
referring to?
2. What is the raison d'etre for the existance of these fields, i.e.,
what is their legitimate purpose?
3. What are the alternative settings in these fields, and what does
each setting mean?
Well, I managed to recover from this malicious attack, and, hopefully,
I will be able to learn something from it.
Thanks in advance.
|
|
Posted by Alexei A. Frounze on March 26, 2006, 3:30 am
If you were Registered and logged in, you could reply and use other advanced thread options
lavron@altavista.com wrote:
> Recently, an internet cracker managed to break through my computer
> defenses and introduced into it a contamination which prevented the
> operating system from booting. Furthermore, the intruder also altered
> the CMOS storage in a manner which prevented me from reinstalling
> neither Windows-XP nor Windows-98. Only after resetting the CMOS
> storage I could successfully reinstall both operating systems.
>
> I hope that someone here can answer the following questions:
> 1. Which fields in the CMOS storage are the Windows installers
> referring to?
> 2. What is the raison d'etre for the existance of these fields, i.e.,
> what is their legitimate purpose?
> 3. What are the alternative settings in these fields, and what does
> each setting mean?
>
> Well, I managed to recover from this malicious attack, and, hopefully,
> I will be able to learn something from it.
>
> Thanks in advance.
alt.os.development isn't the right group to ask. Anyway, I think the disk
types and CMOS checksum could be damaged and prevent your computer from
working correctly. I'm aware of a virus that exploited not only a security
whole in windows 98 but also fdisk.exe logic in such a way that fdisk.exe
would not correct the disk's Master Boot Record if the latter had certain
information in it. The virus modified the MBR in such a way that fdisk.exe
would say everything's OK in the MBR while it wasn't and the MBR was left in
unbootable state. Zeroing out the MBR before another round of disk
partitioning and formatting helped.
Alex
|
|
Posted by Nicholas Sherlock on March 26, 2006, 4:17 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Recently, an internet cracker managed to break through my computer
> defenses and introduced into it a contamination which prevented the
> operating system from booting. Furthermore, the intruder also altered
> the CMOS storage in a manner which prevented me from reinstalling
> neither Windows-XP nor Windows-98. Only after resetting the CMOS
> storage I could successfully reinstall both operating systems.
How do you know that it was an external attack which caused this problem?
Cheers,
Nicholas Sherlock
--
http://www.sherlocksoftware.org
|
|
Posted by CJ on March 26, 2006, 5:41 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Recently, an internet cracker managed to break through my computer
> defenses and introduced into it a contamination which prevented the
> operating system from booting. Furthermore, the intruder also altered
> the CMOS storage in a manner which prevented me from reinstalling
> neither Windows-XP nor Windows-98. Only after resetting the CMOS
> storage I could successfully reinstall both operating systems.
>
> I hope that someone here can answer the following questions:
> 1. Which fields in the CMOS storage are the Windows installers
> referring to?
> 2. What is the raison d'etre for the existance of these fields, i.e.,
> what is their legitimate purpose?
> 3. What are the alternative settings in these fields, and what does
> each setting mean?
>
> Well, I managed to recover from this malicious attack, and, hopefully,
> I will be able to learn something from it.
>
> Thanks in advance.
Sure it wasn't just a failed CMOS battery?
CJ
|
|
Posted by on March 27, 2006, 9:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Recently, an internet cracker managed to break through my computer
> defenses and introduced into it a contamination which prevented the
> operating system from booting. Furthermore, the intruder also altered
> the CMOS storage in a manner which prevented me from reinstalling
> neither Windows-XP nor Windows-98. Only after resetting the CMOS
> storage I could successfully reinstall both operating systems.
>
Can you share the general info on how they were able to do this? Or,
how to prevent this? Can you say something about your hardware and
network interface?
> I hope that someone here can answer the following questions:
I have incomplete knowlege about the following, so my conclusions maybe
in error.
CMOS is a rather dated term, nowadays the terms are GPNV [general
purpose NonVolatile] or NVS [NonVolatile Storage]. The CMOS Bios dates
to the 80286, IIRC the actual storage was on the RTC [real time clock
chip] which was utilized by the CMOS Bios to statically store various
system parameters. One of which was the flag
bit to disable NMI, a suggested thing to do on the 286 to switch to
protected mode. Disabling the NMI involved clearing bit 7 of the byte
accessible thru Port 70h, for example. The amount of NVS was very
small, I don't recall the amount, less than 256 bytes, maybe closer to
64 bytes, maybe only 16 bytes. The GPNV of today is huge by comparison
and holds all sorts of things related to static $PnP Bios and _SM_
SMBIOS [System Management Bios] values. Most certainly the NVS holds
all that is referred to by [I'll call it the F2 system] setup menu,
available at the the end of the POST routine, before the OS boots. The
NVS may also hold the System Event Log as well. Refer to the System
Management BIOS Reference Specification. The SMBIOS is a subnode to
the $PnP Plug and Play Bios, it is only one component of the Desktop
Management Interface (DMI). Reference the PhoenixBIOS 4.0 User's
Manual.
> 1. Which fields in the CMOS storage are the Windows installers
> referring to?
Which fields, I haven't a clue. Logically is can be assumed that it
needs to survey the system to install the pertinant components matched
to the system hardware and state. It most probably maintains its own
'system event log' as to the installation procedure. Possibly, there
was an error in allocating that space if a lurker had already allocated
it.
> 2. What is the raison d'etre for the existance of these fields, i.e.,
> what is their legitimate purpose?
To maintain state, static values, across cold boots. Such as the
system event log. Such as the boot device sequence [IPL]. Such as PXE
Enable!!(A)
> 3. What are the alternative settings in these fields, and what does
> each setting mean?
>
This is too broad to answer, I've not found a good reference that
details these.
> Well, I managed to recover from this malicious attack, and, hopefully,
> I will be able to learn something from it.
>
(A) Before I comment further, what is your knowledge of the PXE preboot
extentions, Remote Program Load, remote system management? Modern Post?
> Thanks in advance.
You're welcome.
|
| Similar Threads | Posted | | webserver attack attempt | July 14, 2005, 5:24 am |
| How to find malicious processes | July 10, 2004, 5:26 am |
| Online Poker Pays! Learn All The Secrets Now!NBP Unregistered. | October 30, 2005, 3:27 am |
| Blog readers are vulnerable to malicious codes | August 28, 2006, 4:53 am |
| how can i tell if under attack? | October 16, 2005, 10:57 pm |
| Re: Possible attack? | September 19, 2008, 3:15 pm |
| Re: Possible attack? | September 19, 2008, 5:40 pm |
| Re: Possible attack? | December 2, 2008, 12:57 pm |
| How to Report - Online Frauds, Internet Scams and Phising Emails: -"Web and Internet" - Support & Network Group | March 21, 2006, 7:03 pm |
| Attack statistics... | August 11, 2004, 8:09 pm |
|
XML site map