Under Attack-Security Software Failed-What to do?

[Turpster]

My home business network fell under attack last night, according to Outpost Firewall Pro 2.7. I received several reports of "rst attacks" and "port scanning attacks". I felt pretty safe since Outpost had blocked the intrusion attempt. So I thought.

Today, I am receiving constant "malformed DNS requests, ports scans" reports from outpost no matter what I do online or in email. Internet Explorer, Firefox, Opera (Registered) - it does not matter what program I am in. And of course the machine is running a little slower than it should - another tell tale sign of trouble.

I ran my daily spyware scans (which are usually clean) and was shocked - to find the following: WatchDog 2 (Surveillance), iProtectYou Pro v7.07 (Surveillance), 007 Keylogger Spy 3.7 (Surveillance) and Force 1.59 (Backdoor). These had to have come through in the attack, because as I said I check my machine almost daily for viruses and spyware, and its almost always clean, accept for few cookies.

I should note that I am the only person who has access to this machine or my home network for that matter, which is behind a Linksys Firewall Router (current firmware).

I am (maybe not much longer) using the following security products:

Linksys RV082 VPN Router, Dynamic IP
Outpost Firewall Pro 2.7 (rules based)
Nod32 AV 2.50.25 (RealTime - protection set to maximum)
BoClean 4.12.002 (was using TDS-3 prior to its demise) (RealTime)
CounterSpy (RealTime, protection enabled)
Ewido (RealTime, protection enabled)
Ad-Aware SE Professional (On-Demand)
Spybot S&D (On-Demand, Immunization Set)
SpywareBlaster (Protection Set)
SpywareGuard (RealTime)

Windows XP Professional SP2, Always up to date and everything Password Protected.

Ok, what else can I do? Is there something better out there than what I have set up? Am I missing anything? Where did I go wrong? And of course I am fighting the anger and want to know why me? But, I realize it happens everyday to thousands of people and businesses. I just thought I had taken enough steps to protect myself.

The one thing that irks me is that Ewido, CounterSpy, NOD32, BoClean all just sat there and did nothing. Outpost said it blocked the attempt - but didn’t. CounterSpy found the infections after the fact - but did not stop them in real time. I am sorry, but I am really angry right now and may be taking it out on these programs and I do realize that they have kept me clean for a long time. Is it possible that a hacker put a root kit on my computer?

Should I reinstall XP and start over? I have all my business records on the machine in question, not to mention all kinds of other confidential business information - Should I start calling everybody and changing passwords, credit card numbers? What a mess.

While I was writing this I was scanning two of my other computers (same security set up, same network) and they are infected to!!!!!!!!!!! Yikes!

Believe it or not I always lecture people about maintaining there windows updates and getting good security products. I am starting to wonder if there is anyway to use the internet and be safe.

Any advice anyone can give would be appreciated.

[Bubba]

Quote:

Originally Posted by Turpster

007 Keylogger Spy 3.7 (Surveillance) and Force 1.59 (Backdoor)....CounterSpy (RealTime, protection enabled)

Let's chip away at some of what you are finding and hopefully it want be as bad as you might think.

What version of CounterSpy are you using and what is the latest database ? The reason I am asking is because database 222 and 224 had False positives in regards to those 2 items.

[Kye-U]

Disconnect your computers from the internet and network.

Try installing another antivirus (Bitdefender, or Kaspersky) to possibly detect anything NOD32 could've missed.

Do a HijackThis scan and post the log here.

Don't format yet. If you disconnect your computer(s) from the Internet and network, then the trojans will be useless and you will be free to work at your own pace ^_^

I recommend that you call your customers, but wait for more suggestions from more members.

[Turpster]

Hello Bubba, I am using CounterSpy's database version 224. CounterSpy is reporting that is the latest version. I just tried to update it.

[Turpster]

Hello, Kye-U

I will run a HijackThis Scan and post it shortly. Good idea about disconnecting the machines and calling my customers. I have to leave one up on the network though, so, I can work with you guys.

I'll am going to download KAV and give that a try too.

Thanks

[Kye-U]

Make sure that the one you leave up is not the one with your confidential business data. =)

[Rico]

Hi Turpster,

Try F secure blacklight "rootkit" scanner. http://www.f-secure.com/blacklight/

also perhaps of use is www.rootkits.com. Also try this to see if "HackerDefender" is present

start > run > type cmd > cd\windows\prefetch>cd\hxdef1~1.pf

If HackerDefender is present you get "the directory name is invalid"
If HackerDefender is NOT present you get "the system cannot find the path specified"

Also this will give you multiple scans: http://www.virus.gr/english/fullxml/default.asp

When you get all nice & squeaky clean, take a look at ProcessGuard+RegDefend - this combo seems de rigeur around here.

Also M$AS (microsoft anti-spyware) with its 59 real-time-protection's perhaps would have sounded off.

Good Luck
Rico

Oh! F secure thing is free.

One more thing Sysinternals has a rootkit revealer tool see www.sysinternals.com <not easy> thats why i mention F-secure

[Turpster]

Here is the Hijack This Log. Rico I will try your suggestions too and report back. Thanks everybody.

[Paranoid2000]

Quote:

Originally Posted by Turpster

Today, I am receiving constant "malformed DNS requests, ports scans" reports from outpost no matter what I do online or in email. Internet Explorer, Firefox, Opera (Registered) - it does not matter what program I am in. And of course the machine is running a little slower than it should - another tell tale sign of trouble.

While this could be an indication of trouble, early builds of Outpost 2.7 did give this error (see the Known Issues section of Outpost 2.7 - what to expect) and this will halt network access. Try disabling the DNS Cache plugin as a workaround.

Quote:

Originally Posted by Turpster

I ran my daily spyware scans (which are usually clean) and was shocked - to find the following: WatchDog 2 (Surveillance), iProtectYou Pro v7.07 (Surveillance), 007 Keylogger Spy 3.7 (Surveillance) and Force 1.59 (Backdoor). These had to have come through in the attack, because as I said I check my machine almost daily for viruses and spyware, and its almost always clean, accept for few cookies.

Which scanner identified these items? Scanners can give false positives and given the raft of other security applications you mention (Ewido, NOD32, etc) not reporting anything, it would make this a more likely cause. You can check by sending the "infected" files to a scanning site like Jotti's Malware Scan or VirusTotal.

Quote:

Originally Posted by Turpster

I should note that I am the only person who has access to this machine or my home network for that matter, which is behind a Linksys Firewall Router (current firmware).

This, combined with Outpost, would make an outside attack very unlikely (unless you had disabled or misconfigured these firewalls to allow all incoming traffic). Assuming you have not been downloading programs from P2P networks or other anonymous sources (IRC, Usenet or Warez sites), this again makes a false positive a more likely explanation.

Be aware that Outpost's Attack Detection plugin will give false positives at times (most likely with DNS traffic, where the "attackers" IP address matches that of your ISP DNS servers - these addresses are reported when you type ipconfig /all in a command prompt window).

[Bubba]

Quote:

Originally Posted by Turpster

Hello Bubba, I am using CounterSpy's database version 224. CounterSpy is reporting that is the latest version. I just tried to update it.

I don't mean to move you away from the direction you are heading with other folks....but since there have been intermittent problems with updating would you Please verify that you are really updated by clicking Help, About CounterSpy and see what it says for Spyware Definition Version and the date/time.

We have an ongoing thread in the Sunbelt Beta Forum concerning these Spy 3.7, WatchDog 2 and Force 1.59 False positives.

If you take a look at CounterSpy: Definition 222 you'll note that all 4 of those items that you posted above WatchDog 2 (Surveillance), iProtectYou Pro v7.07 (Surveillance), 007 Keylogger Spy 3.7 (Surveillance) and Force 1.59 (Backdoor) were added in that database along with many others. If you also look at the threat information of those 4 items....Force 1.59 for example....take a look at their Running Process Signatures: at the bottom of that report and then look at your HighJackThis log in regards to Running processes:. You will note that none of the Force 1.59 processes are showing up in your HJT log.

Quote:

Originally Posted by Kye-U

Do a HijackThis scan and post the log here.

For future reference We do not allow unsolicited HijackThis logs to be posted in Forum unless "requested by a moderator (or specially titled forum expert)"

Per this Announcement---> Stopping HijackThis Log Cleaning Services!

[Kye-U]

Bubba, I'm incredibly sorry for missing that.

Feel free to remove it; I have saved a copy for myself to privately help Turpster with

Thanks.

[Bubba]

Quote:

Originally Posted by Kye-U

Bubba, I'm incredibly sorry for missing that.

Feel free to remove it;

Nah....I'll leave it for a bit....I might find something I missed Also....my reminder was an opportunity to let others know about our HJT policy that might drift by this thread....you were simply used

Quote:

Originally Posted by Kye-U

I have saved a copy for myself to privately help Turpster with

Please don't get to private....no one but the privateers learn that way

[Turpster]

Oops! Sorry for posting that log. Ok, I have tried several of the suggestions and this is what I have found:

CounterSpy is the only program reporting an infection. I ran scans with Ad-Aware SE Prof, Spybot, Ewido, NOD32 & KAV - all clean. I did not let CounterSpy make the repairs on its reports and this morning when I turned the machine back on and ran CounterSpy again (same definitions - I ran the def. check from the file menu) it reported no problems. Maybe it needed the reboot after it updated itself yesterday to fully stop the false reporting.

Just for safety sake I tried Rico's suggestions and ran Blacklight which found nothing and ran the command line, HackerDefinder test and it came back "the system cannot find the path specified".

I also made a BartPE disk and ran Ad-Aware, McAfee STinger & McAfee AV and found nothing.

Now as for Outpost. I am using build 485/412 which I think was supposed to correct the DNS false reporting issue. I looked at the Outpost Log and found that it has a lot of entries like this (since the other night):

8/22/2005 11:27:54 AM DNS Cache Report Malformed DNS request detected from: IP:192.168.1.1, port:53 to: IP:192.168.1.104, port:1030

Entries like this also show up for random web pages I go to, since the other night (not just, microsoft's webpage - just using as an example):

1:39:27 AM Intruder blocked Rst attack detected from www.microsoft.com -> www.microsoft.com
8/23/2005 7:51:42 PM Intruder blocked Rst attack detected from www.microsoft.com -> www.microsoft.com

8/23/2005 8:00:16 PM Intruder blocked Port Scanning has been detected from www.microsoft.com (scanned ports:TCP (1160, 1118, 1189, 1147, 1119, 1143))
8/23/2005 7:51:37 PM Intruder blocked Port Scanning has been detected from www.microsoft.com (scanned ports:TCP (4223, 4173, 4181, 4175, 4189, 4179))

However, I can sit here on Wilders and Outpost does report any problems - move to another website, say google and I'll get a series of attacks and google gets blocked. Move to another site same thing. Wait for 15 minutes or so and I can surf the web for about 15 to 30 minutes with no problems and it all starts up again.

Which is why I freaked out! I started having all these problems and then countespy gave the report on those items and I thought my security had been compromised.

So, here is my next plan.... I think everyone is right and this is probably a case of a false positives combined with Outpost getting messed up somehow. So, I am going to uninstall Outpost Pro and download the lastest build 493/416 and reinstall. Maybe that will help.

Its odd though - I have not installed any new programs since BoClean a month or so ago. Nor do I do any file sharing or download programs, music, etc. from file sharing websites. So, I am not sure what would have happened the other night that would have thrown Outpost into such a mess. Unless its one of the Automatic Windows Updates installations that somehow messed things up.

I'll report back to see if uninstalling Outpost and reinstalling it stops the problem.

[Paranoid2000]

Quote:

Originally Posted by Turpster

Now as for Outpost. I am using build 485/412 which I think was supposed to correct the DNS false reporting issue. I looked at the Outpost Log and found that it has a lot of entries like this (since the other night):

The current build is 493/416 so try updating to that.

Quote:

Originally Posted by Turpster

8/23/2005 7:51:37 PM Intruder blocked Port Scanning has been detected from www.microsoft.com (scanned ports:TCP (4223, 4173, 4181, 4175, 4189, 4179))

However, I can sit here on Wilders and Outpost does report any problems - move to another website, say google and I'll get a series of attacks and google gets blocked. Move to another site same thing. Wait for 15 minutes or so and I can surf the web for about 15 to 30 minutes with no problems and it all starts up again.

Outpost v1's Attack Detection plugin had a problem with reporting website connections as attacks but v2 fixed that. Have you made any changes to your Attack Detection timings (Properties/Advanced/Attacks List/Edit List/Advanced) - specifically the "Disconnecting Ignore Time" (should be 3000 msec). If yours is less, then set it back to this value.

I would also suggest disabling the "Block Intruder IP" setting - the plugin will still block detected attacks without it and it seems to be causing more trouble than its worth in your situation (it is best used when you have a hardware router filtering incoming traffic - then there is very little chance of a false alarm).

[Rico]

Hi Turpster, Glad to see nothing showed up regarding rootkits. You should also go to www.grc.com then scroll till you find "shields up" enter then scroll till you see the option to "scan all ports", ideal is to have all ports "Stealth" if you have open or non stealthed ports you have some homework to do with outpost. Personally I like ZoneAlarm ZA currently ver. 6. The times that i had non-stealth ports, it was generally due to something having "server" rights. ZA was very easy to correct this, next shields up, and your all stealthy again. Steve Gibson over at GRC, has some great programs you should check out. Mr. Gibson would be right up there for hall of fame, in computers/programing, status.

Good Luck
rico

[Turpster]

Thanks Paranoid2000 - I plan on doing the reinstall tonight.

I checked the current attack Detection timing and it was set to 600 msec so, I changed it to 3000 msec. Not sure how it got so low as I have never messed with those settings.

Quote:

I would also suggest disabling the "Block Intruder IP" setting - the plugin will still block detected attacks without it and it seems to be causing more trouble than its worth in your situation (it is best used when you have a hardware router filtering incoming traffic - then there is very little chance of a false alarm).

Forgive me if I am misunderstanding you, but I am using a Linksys VPN Hardware Router. Is my Router missing something it should be doing? Sould I be looking at that?

Thanks Rico - I have already checked my protection @ "Shieldsup" and PCFlanks Website and always pass everything (now) after following Steve's advice. As you say, he has a lot of great info on his site. Well anyway, atleast I know that the stealth features are working properly.

[Paranoid2000]

Quote:

Originally Posted by Turpster

Forgive me if I am misunderstanding you, but I am using a Linksys VPN Hardware Router. Is my Router missing something it should be doing? Sould I be looking at that?

Oops, missed that. Aside from checking that the router firewall is enabled there should be little that needs doing - I'd still suggest disabling Outpost's Block Intruder setting until you are comfortable that the false alarm issue has been resolved.

Also note that having this set does prevent any proper "stealth" test (since the block kicks in after the first few connections, preventing tests thereafter) and such tests would only test the router firewall in your case (see the "Scans with a Router" section of Online Scans - What to do with Open and Closed Ports).

[Turpster]

OK, it's been 12 days since I installed the latest version of Outpost and I have had no further trouble, with the computer anyway..... my 9 month old router is now acting up, but that is another story.

Thanks to everyone for taking the time to help me with this issue, I really appreciate it. If it had not been for you guys talking me down off the ledge I would have done a total re-install.

Thanks Again!

[Longboard]

what a great little thread!!
plenty to learn from these posts.
Great sequence of posts and responses.
Love it here

Regards