Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Result of the Computer Fiasco

FortKnox (169099) writes | more than 10 years ago

User Journal 15

Well, the 'old' computer wouldn't start because the video card was burnt out. GeForce4 and the fan wasn't working. Installed new video card and voila.

The 'new' computer had 6 reported viruses:
I-Worm/Woff
Dropper.small
Backdoor.Fudoor
Downloader.Rameh
Worm/Ihit
Win32/Resur

Don't bother. Symmantic doesn't have any info on them.... neither does Grisoft (AVG people)...Well, the 'old' computer wouldn't start because the video card was burnt out. GeForce4 and the fan wasn't working. Installed new video card and voila.

The 'new' computer had 6 reported viruses:
I-Worm/Woff
Dropper.small
Backdoor.Fudoor
Downloader.Rameh
Worm/Ihit
Win32/Resur

Don't bother. Symmantic doesn't have any info on them.... neither does Grisoft (AVG people)...

The only clue was when I attempted to shut down, 2 people were connected to my computer (at least the shutdown said that). I couldn't load up anything to check for who it was, so I hit the power button, instead of shutting down, did the 'last ditch effort' to load up my machine with the 'last successful config' and everything worked peachy... so peachy in fact, I'm quite scared. I installed the latest virus definition update, rescanned everything... nothing found.

No idea what happened. A prank? I'm sitting behind a router, firewall, and antivirus... pretty sophisticated prank.

Any clue at all??

cancel ×

15 comments

Sorry! There are no comments related to the filter you selected.

More info? (1)

yuri benjamin (222127) | more than 10 years ago | (#8979630)

I'm sitting behind a router, firewall, and antivirus...

What firewall are you using? What do the firewall logs say about connections at the time Windows Shutdown reported 2 users?
My guess is you've been cracked. Firewall logs should contain clues.

Yuri

Might have been in ram, but... (1)

(H)elix1 (231155) | more than 10 years ago | (#8979700)

I've been owned [slashdot.org] before. I did a fair bit of digging into how they exploited my box, and the best I can figure was a fairly sophisticated dictionary attack. Not to say it could not be something else, but the box was launching dictionary attacks against other IP addresses from the box. Argh!

Time to rebuild and change all your passwords! FDISK purifies and redeems...

You might (1)

Safety Cap (253500) | more than 10 years ago | (#8979785)

...want to check your users/groups and make sure there're no extra ones. Make sure to disable "guest" completely and change everyone's password.

You did run windows update [microsoft.com] recently, right?

As a matter of keeping people from connecting to your resources, make sure port 135 is blocked at the firewall/router. For fun, run some "shields up [grc.com] " goodness to find out what else is open.

Re:You might (1)

FortKnox (169099) | more than 10 years ago | (#8979915)

I think the 'other users' may have been an automated web script I run from another (pass protected) account. Yeah, windows always up to dates, as with my firewall and antivirus.

Re:You might (1)

Safety Cap (253500) | more than 10 years ago | (#8980614)

Now that you had a scare, it is probably a good time to burn all your important files to CDs... :)

Re:You might (1)

Abm0raz (668337) | more than 10 years ago | (#8980916)

I hope that's not my script, because it doesn't connect inbound, only out. It shouldn't register a connection in windows (but should show in the firewall logs).

-Ab

Just an idea... (2, Interesting)

Sloppy (14984) | more than 10 years ago | (#8982967)

Well, if you have a lot of software that auto-updates itself, you might want to look into how they do this. Maybe they're helpfully installing trojans on your behalf, instead of getting the actual updates that you want.

It's not hard to make stuff like that work correctly, but.. um, how can I delicately say this? I have worked with Windows app developers and.. well.. while I'm sure there are very bright people working on this stuff, you never quite know what you're going to get. Sometimes missing some really basic stuff, ya know. Maybe the guys who made the OS or the firewall or the antivirus or (whatever) .. don't use decent cryptotech and just blindly trust the remote server, that it loads updates from, to be who it says it is.

It would be amusing if you could attack millions of machines just with a little dns spoofing. "Here, come download my virus." ;-)

hmmm (1)

turg (19864) | more than 10 years ago | (#8979799)

Based on a quick googling, it looks like at least a few of these are backdoor-type trojans so once you got one, it could become the conduit by which the others got there.

The machine was up-to-date with Windows security updates, I assume?

icky (1)

KshGoddess (454304) | more than 10 years ago | (#8980026)

just a quick google says that your dropper.small could've come via mail, a crack file, a desktop theme... and it's 3k, and brings at least one of your other viruses with it.

I'd look at what was downloaded recently, from where, etc. Makes me glad the last desktop I downloaded was a jpeg that wasn't compressed, zipped, etc.

Re:icky (1)

trmj (579410) | more than 10 years ago | (#8980591)

Makes me glad the last desktop I downloaded was a jpeg that wasn't compressed, zipped, etc.

I once thought that way as well, but when I downloaded the latest "super uber 31337" version of sub7 to see what new tricks it comes with, there was a nifty binding program that could bind the server to nearly any filetype and run it on opening, including images, office files, zips, even text documents.

It was also somewhat disturbing just how customizable the server program is for launching a sophisticated attack against one or hundreds of computers. Oh, and as of a few weeks ago Norton, McAfee, and AVG don't detect it, nor do Blackice, ZoneAlarm, or Norton firewalls (didn't bother to check McAfee).

Norton Internet Security: $80
BlackIce Defender: $30
McAfee Antivirus: $50
Cable Internet: $49.99/month
Still getting "owned" by the kid down the street: Priceless

Knowledge is the best antivirus, but paranoia is quickly becoming a close second. For everything else, there's housecall [antivirus.com] .

Re:icky (1)

Abm0raz (668337) | more than 10 years ago | (#8980931)

One my co-workers got a Downloader virus today (.JD variety). All the downloaders (there's over 50) do the same thing, connect to a website and download a trojan, usually sub-7.

-Ab

Random security advice (1)

Planesdragon (210349) | more than 10 years ago | (#8982866)

Rename the administrator and guest accounts.

"root" and "user" -- or "God" or "admin" or "l33t" even.

It makes it just that little bit harder to break in.

Run Linux? (1)

ces (119879) | more than 10 years ago | (#8994943)

I know it sounds like a snarky answer but I just don't have these sort of problems with my linux box. I run VMWare when I need windows only applications. I don't have the instances of windows running under VMWare as locked down as I would if they were the host OS. However I've yet to have a problem because they typically are only running when I need a windows app. Even if one of them was to get infected I'd just roll it back to the snapshots I have from just after installation.(the files are mounted from the host linux system via SAMBA)

I haven't played with some of the other ways of running Windows apps from inside linux such as WINE but I haven't felt the need to since I have VMWare and it does what I need it to.

Re:Run Linux? (1)

FortKnox (169099) | more than 10 years ago | (#8995833)

I -have- a linux machine. Works like a charm (although I think a harddrive is about to go in it...)

The windows box is there to be a windows box. Its where I put all my windows apps on (games, visual studio, etc...).

Re:Run Linux? (1)

ces (119879) | more than 10 years ago | (#9001639)

I -have- a linux machine. Works like a charm (although I think a harddrive is about to go in it...)

The windows box is there to be a windows box. Its where I put all my windows apps on (games, visual studio, etc...).


I have a windows box here too, but it rarely gets turned on as I do most everything under linux and firing up VMWare is easier than firing up the windows box when I need photoshop or to browse some IE only site.

Basicly it's worth getting to the point that you don't care when your windows clients are down because you can still get work done or it really isn't your primary environment anymore. It's also worth running windows inside a sandbox like VMWare that insulates you somewhat from the virus/bug/security hole of the day. Worse comes to worse a "reinstall" consists of booting off the clean system image I made right after I installed most of the apps I care about.

Beyond that don't run IE except when you have to, don't use Outlook or Outlook Express for email unless you have a good virus/trojan scanner on the server and strip attachments.

Also a hardware firewall is worth considering. Most people I know who have one don't seem to have quite the problems of those who are relying on Zone Alarm and a virus scanner to protect them. WatchGuard, SonicWall, and NetScreen all make good low-end firewalls. If you can't spring for a commercial one or you want to learn something (and gain extra functionality and flexiblity) it is fairly easy to build one using an old PC, Linux or OpenBSD, and a couple of NICs.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>