A uninvited guest

Discussion in 'other security issues & news' started by dannyboy 950, Jan 9, 2006.

Thread Status:
Not open for further replies.
  1. dannyboy 950

    dannyboy 950 Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    50
    I thought I had got rid of this person but he has been logging on again and changeing settings.

    Ok to begin with I use XP Home SP2 on this machine,Sygate Pro firewall;AVG;A2;Ewido;Process Guard;Spybot S&D;SpywareBlaster and Spyware Guard. All up to date and run regularly. Ccleaner and CWshredder and Hijack this.As well as several management and TCP tools.

    This computer is a stand alone outside my Lan, no ICS enabled, no net bios, no network shares, no file and print shareing,no other networking enabled other than whats needed for a direct connect to a RR cable modem. Now I do have a bad habit of leaveing it on all the time. So I check my event and security logs daily.

    I am seeing successfull logons and privelages being established at times when no one is on the computer. Apparently I have a RAT well hidden.
    Now I follow Black Vipers and the NSA's disable list of processes. Primary is DCom;RPC;RemoteDesktop and assistance all disabled along with File and print shareing etc. All unnecessary services are disabled or manual. Only my AV and Firewall and windows updates are automatic.

    Now what I am wondering if I used Truecrypt or something and encryped the entire drive would he be able to still access his back door.
    I really don't want to have to nuke this thing, it came with no CD's I have done 2 system restores and 1 system recovery but he still gets in.

    I would apreciate any ideas or comments.
     
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Have you tried any 'outside' scans from an Online vendor.

    Kaspersky
    Symantec
    TrendMicro's Housecall..

    That would be my first stop for sure, as an outside scan may indicate something your own apps are not seeing.

    http://housecall.trendmicro.com/
    http://security2.norton.com/sscv6/default.asp?langid=ie&venid=sym
    http://www.kaspersky.com/virusscanner
    .....to name a few.

    Definitely do this first, otherwise a HijackThis log posted at a forum which does them [NOT here, no longer do HJTs] https://www.wilderssecurity.com/showthread.php?t=42148

    Cheers, TAS
     
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    There's also the rootkit detectors - IceSword, Blacklight, RootKit Revealer, and Unhackme <I think>. Not sure if there are any more out there.
     
  4. spy_revealer

    spy_revealer Guest

    Along with some of the above recommendations I would try downloading and running the free trial of Security Task Manager http://www.neuber.com/taskmanager/index.html and look for anything suspicious. It can find all kinds of hidden malware.

    Then I would run some of those rootkit checkers mentioned by Vikorr. They all are free or have fully functional free trials. I would recommend running at least RootkitRevealer, Blacklight beta and Unhackme.

    I would also considering running a good anti-keylogger as well. Spycop is a good one. But it's not free. STM and some of the rootkit detectors, in combination, will find a lot of keyloggers too, so you could just run them instead of Spycop. But I what I would be looking for are rootkits and keyloggers, because it sounds like you could have one.

    It does seem strange that a keylogger could get past ProcessGuard, but I suppose it's possible. If it was just a regular Rat trojan I would think your AV or Ewido should have caught it, so it sounds like it could be something more sinister, maybe a rootkit. I would consider getting a better AV than AVG anyway. I don't think it's too strong at Rat trojan detection.

    Hth.
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    something to find out. what processes/modules [dlls] do you have running on your system....

    Download this ProcX [standalone, no install] and it will give a complete list of what's running and if anything you don't know about, try a search via right click option.... no matter what the proggie, if it's 'running' it has to show up somewhere.

    http://www.ghostsecurity.com/index.php?page=procx

    It's a brilliant little proggy from Ghost Security, authored by gkweb a member here for GS.

    TAS
     

    Attached Files:

    • 095.GIF
      095.GIF
      File size:
      44.3 KB
      Views:
      261
  6. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    I have to put in my two cents, everything of course is true what Tassie Devils and the others say, however let me share a couple other things. I know I am not expert in a sense but I know this: Sygate used to be the schiznic, I used it for like a year and everything seemed perfect, but something happened and people can say I'm paranoid but now I am friends with a real-deal blackhat and he confirmed my suspicions. Hopefully everyone agrees that Symantec is one of the most if not the most targeted security companies by hackers, of course if you don't believe me think about it, if you crack open an application which is your means of uninvited remote entry then do you want an application that 500,000 people use or something like Norton that say (I really don't know how many) 50million people use. I hope you understand. Symantec acquired Sygate firewall technlogies for use with norton, correct? Now I was racking my brain trying to figure out why when I had my computers locked down tight like you Dannyboy 950 why I am seeing bytes coming and going when I pulled up this connection properties box for a usually untampered look at your traffic, at least an indication of it occuring but not an actual look at the packets. Anyhoo, I just like many others are hurt to have to let go of certain technologies that you go to trust but It happens and you must move on to technologies which are at least good for right now like eset nod32 or antivirus personal edition (the one with the red umbrella or blue if you want premium) instead of AVG as this is not reliable like I used to think either, trust me on this man. Then you must really decide yourself which firewall, I personally use zone-alarm's triple defense without the antispyware and antivirus sometimes with.(the trial version is only two weeks for the zone-alarm security suite, but I wipe my hard drive every two weeks anyway) Your choice of firewall is very important as my friend has told me about all kinds of hacks for firewalls like funky combinations of flags on packets and FTP and tricking the connection tracking component the firewall uses to monitor connections and connection attempts. Dannyboy I hope you read all this, you are so on time with the black viper suggested services running, you just need to change your firewall and anti-virus. If I were you I would go get clean installs of process guard, wormguard, oh yeah and use opera, if you must use IE put Spywall from majorgeeks.com on there, and try zone alarm security suite for two weeks if you don't want to buy then just reformat every couple weeks It's not that bad considering you're saving your identity from getting stolen from some dude in malaysia or indonesia. One last thing this could be the most important, is your IP address static or dynamic, you know that there is broadband I know for sure where they get a new Ip address every day, but usually with anythin other than dial-up you have a permanent IP address, get this changed after you wipe your hard drive as once the cracker has it you are through pretty much no matter what security you have if he's hard enough.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hi,
    A question: Did you install all these before or after you got hit?
    How do you know you got hit? Have you by chance removed lots of spyware recently? Having a RAT only and nothing else is not typical. Mind posting your HJT in an appropriate forum?
    Emir: I did not follow what you said about Sygate. Something happened? When and where?
    Mrk
     
  8. dannyboy 950

    dannyboy 950 Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    50
    Thanks for the interest.

    Now I have been running my security apps since they first came out. Beta tested most of them. I also run online scans regularly both AV and AT.

    I saw that rootkitrevealer had a new version so I uninstalled my old one and installed it. Saved the file but it wanted to put it in the system32 folder.??
    I put it in documents instead but now I can't find it LOL

    Here are a few events I will post more as I have time to sort thru and filter only the relevent, will take a lil while I run biggggg logs.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Policy Change
    Event ID: 849
    Date: 1/8/2006
    Time: 4:07:44 PM
    User: NT AUTHORITY\SYSTEM
    Computer: LINDA
    Description:
    An application was listed as an exception when the Windows Firewall started.

    Policy origin: Local Policy
    Profile used: Standard
    Name: Remote Assistance
    Path: %windir%\system32\sessmgr.exe
    State: Enabled
    Scope: All subnets

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    This is supposed to be disabled. If I ain't turning it on, who is.

    Event Type: Information
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7035
    Date: 1/8/2006
    Time: 4:07:43 PM
    User: NT AUTHORITY\SYSTEM
    Computer: LINDA
    Description:
    The Remote Access Connection Manager service was successfully sent a start control.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Was not me

    Event Type: Information
    Event Source: EventLog
    Event Category: None
    Event ID: 6006
    Date: 1/8/2006
    Time: 4:05:59 PM
    User: N/A
    Computer: LINDA
    Description:
    The Event log service was stopped.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: ff 00 00 00 ÿ...

    Thanks for the help. I will continue digging.
     
  9. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,526
    Location:
    USA - Back in a real State in time for a real Pres
    Unless I missed it. What settings have been changed by this supposed RAT? Just reading briefly, I suspect nothing is wrong.
     
  10. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    From what's been posted, there is nothing wrong. Just normal SYSTEM account activity.

    Blue
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hi,
    Like I said - having a RAT only and nothing else is not typical. These things come bundled or arhorseback as payload with some dropper or such. Having a beautiful undetectable RAT on and nothing else can most likely only come from direct physical access.
    Mrk
     
Thread Status:
Not open for further replies.