RE: Getting hacked

[Boomeruk]

so lastnight, im sat on msn, chatting to a mate... when all of a sudden it starts typing stuff for me?

this was odd, so i questioned it with type, and got rebooted.

tried to access ctrl alt delete to find my running processes, but everytime i open it, it automatically closes.

go back online to carry on chatting when the same thing happens again!

so, something like this happens on msn:

Me: ok mr hax0r of doom, reboot me you fuckin gimp
Mate: yea, haha newbi , reboot him, haha you fag l33t kid
Me: grr, what a scriptkiddy, reboot me!!

<rebooted>

log back on msn:

Me: uhm, ok, that was pretty cool, but WTF!??!!!
Mate: rofl mate, thats scarey
Me: Dude how did you do that
Hacker: I'm sorry

<opens notpad>

names file "morron.txt" and types:

i can see all i have your email accounts when you try to use you web can for fun i reboot you i own you

then a long conversation about who he owned me, in notepad of all things...
then showed me in my system32 dir, my keylogger.txt, the guy had me for 3 solid days

then helped me remove the backdoor i had on my system, and told me how to protect against it in the future.

now luckily, i got a very nice, not to malicious hacker on my system, and he had complete control of my PC, and i mean complete. he could reboot me on command, open any window, read anything ive typed. i felt very violated to say the least...

Be careful what you download, use a decent firewall, keep an eye on incomming connections / running processes.... cuz all these people who say they cant get complete control like that.... are wrong.

 

[Thorwyn]

What kind of security programs were you running when you got hacked? Any Firewall, Virus Scanners etc?

 

[Boomeruk]

i've been online for 5years+ now, i've worked for a couple of IT companies, Im fairly clued up when it comes to most things IT based...

i've always been lax on my own security, as i dont have anything sensitive, or dont use my pc for anything, other than fucking around... i had no firewall up, but it got past norton antivirus.

i believe it was installed with a webcam driver i downloaded, but the installation went as normal, and no problems with norton...

guy had complete access for 3 days beofe he probably got bored of messing with me and decided to show himself.

i now run sygate personal firewall, webroot spysweeper, and im using a trial copy of swat IT, trojan watch...

.... I've learnt my lesson, but as i said, he wasent to my knowledge a malicious hacker, infact, quiet the opposite, helping me remove and protect... but still, the fact that he read my private emails, saw every convo on msn for 3 days etc... makes me feel very insecure atm.

 

[Herjulf]

Yesh lesson learnt by you the hard way.

Norton AV alone wont give you protection if have a Internet accessble IP adress.
There are many ways to get haxxed in your way.

1. The most common are, not updating windows with important patches. Surfing the web alone can give hackers access to your system if you dont do this. but also simply turning on computer if not patched up, will very likely mean u got a trojan installed within seconds.

2. IRC - be very carefull about clicking links in IRC. cut and paste instead.

3. spyware/trojans - did you click yes on "want unlimited acces to the best spanksex online?".

Protection:

keep patched - servicepacks, security updates etc.

I strongly suggest registered/public ipadresses on your personal computer. So get a cheap@home router. Port forward important traffic like bittorrent and direct connect. dont sit "big bad internet" <-> "YOU" sit "big bad internet" <-> "MrRouter" <-> "you".

Stealth, is always good dont show big bad internet you are alive. make shure your firewall/router knows you want this. and show unreachable if they ping/portscan. >null it is good.

Awareness, is the key. Dont open program attachements, dont accept ANY Visual Basic popup windows. if you do this you allow software to run on you computer.

Protection software:

I like the Registered Zonealarm + Norton Antivirus 2005 combo, with automatic updates turned on on both. Same with windows XP, so i dont fail to update just because i am lazy. Zonealarm is nice becaue of the software trying to access net-x part. So if a installed program tries to open a socket, you get told if u havent allowed it.

Do occasional spyware scans with Ad-aware and spyware killers. its a good idea to remove some tracking cookies, pref once a week. Schedule it if u can.

Dont have computer turned on when you dont need to have it on. like when u not downloading something.

 

[sibanac]

I hope you completely formated that pc, because otherwise you are just asking to be "pwnd" again

 

[Elewyth]

i used a Trojan once, came disguised as a whack-a-mole game... u ran it i had complete control over your pc... i could even open your CD-rom drive.. sounds quite similar to that tbh... nothing major to worry about.. just reformat your HD, dont listen to his "advice" about blocking your system, most likely he's a 12yrd old spotty freak with about as much computer sense as a lemming on the edge of a cliff... just reformat and only use official drivers for anything and NEVER download them from anywhere except the official pages.

 

[Boomeruk]

i used a Trojan once, came disguised as a whack-a-mole game... u ran it i had complete control over your pc... i could even open your CD-rom drive.. sounds quite similar to that tbh... nothing major to worry about.. just reformat your HD, dont listen to his "advice" about blocking your system, most likely he's a 12yrd old spotty freak with about as much computer sense as a lemming on the edge of a cliff... just reformat and only use official drivers for anything and NEVER download them from anywhere except the official pages.

This was a little more server...

ie: he had a keylogger on my system for 3 days, during those 3 days, i bought something online using my CC, when he showed me where to find the logged text, there they were, my cc details, written underneath what window i entered them into, time and date stamped. (mixed in with a bunch of cyber i'd had with some hot chick ;P)

also he had complete control over everything, he could move my mouse, open cd tray (usual scriptkiddy stuff) but also take over what i was doing, totally hijaked a conversation i was having with a friend, and just rebooted my system for fun.

Strange thing was though, his help worked, i did as he said, (it made logical sence to anyway as what he told me to do was what i would have done without his help)

Banks been phoned, cards been blocked and a new one is in the mail... passwords have changed 3 times, firewall is up and incomming/outgoing connections are moniterd 24/7... ran about 7 different virus/trojan/spy,adware sweeps, im clean as it stands, cant be arsed to format, have no form of backup on this system, but for now im secure (i hope)

oh... and the even funnier thing... the webcam driver works 100x better than the one supplied on cd/on retailers website rofl

 

[Elewyth]

This was a little more server...

ie: he had a keylogger on my system for 3 days, during those 3 days, i bought something online using my CC, when he showed me where to find the logged text, there they were, my cc details, written underneath what window i entered them into, time and date stamped. (mixed in with a bunch of cyber i'd had with some hot chick ;P)

also he had complete control over everything, he could move my mouse, open cd tray (usual scriptkiddy stuff) but also take over what i was doing, totally hijaked a conversation i was having with a friend, and just rebooted my system for fun.

Strange thing was though, his help worked, i did as he said, (it made logical sence to anyway as what he told me to do was what i would have done without his help)

Banks been phoned, cards been blocked and a new one is in the mail... passwords have changed 3 times, firewall is up and incomming/outgoing connections are moniterd 24/7... ran about 7 different virus/trojan/spy,adware sweeps, im clean as it stands, cant be arsed to format, have no form of backup on this system, but for now im secure (i hope)

oh... and the even funnier thing... the webcam driver works 100x better than the one supplied on cd/on retailers website rofl

yep the one i had could take random screenshots of your desktop, it could also see your keystrokes in realtime and saved logs... sounds pretty similar, if it is the one i used many moons ago then its definately a downloadable file you got nabbed with... oh and there isnt a "fix" for it, since the one i had uses a password system i.e i could lock your system off to any other users but me and anyone who knows what password i used to access your pc which is why i say reformat your HD since he will still have access to your pc whenever you log on.

 

[Gotrag]

Dude that was some scary shit... at first i thought you was fucking with me... to start with we was swearing at the guy by the end of it we was declaring him as god....

Be carful what you downlaod

wonder if he was talking about pr0n

 

[Alan]

now luckily, i got a very nice, not to malicious hacker .

The problem is these backdoor systems can get installed by something - but then abused by many normaly these backdoor systems go and paste your IP in a chat room so someone can then watch that chat room for all the systems comming onto the internet that are affected.

If you ever notice something like this then switch off your PC - remove the network cable then power it back on and diagnose.

There is no such thing as a nice hacker, anyone that does the things you have stated is breaking hte law, if you can get time drop to a command prompt and do a

netstat > file.txt

This will dump the list of any IP addresses connected to your computer, one of these will be the hacker, the police and your ISP can then track down who.

 

[Gotrag]

dude he couldnt acsess CTRL ALT DEL dont think he could acess command prompt might be wrong... if you didnt guess i was the one talking to him so i understood and know evrything that was going on

 

[Boomeruk]

lol gotrag, you left me on my own with guy ><

anyway, i got his host/ip, anyone with decent tracing skills wanna pm me and we can try trace his isp etc?

 

[XhitmanX]

lol gotrag, you left me on my own with guy ><

anyway, i got his host/ip, anyone with decent tracing skills wanna pm me and we can try trace his isp etc?

check your pms

 

[Boomeruk]

ok, hes back and messing with me again...

my firewall flashed at me, apparently he tried to access/change my C:\WINDOWS\system32\tracert.exe

i decliend the change and my firewall reports this action as "blocked"

checked my inc/outgoing connections... and got the log from my firewall..

heres the log:

The executable has changed since the last time you used: C:\WINDOWS\system32\tracert.exe
File Version : 5.1.2600.2180
File Description : TCP/IP Traceroute Command
File Path : C:\WINDOWS\system32\tracert.exe
Process ID : 0x5E0 (Heximal) 1504 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 192.168.1.10
ICMP Type : 8 (Echo Request)
ICMP Code : 0
Remote Name : pool-68-238-18-137.rich.east.verizon.net
Remote Address : 68.238.18.137

Ethernet packet details:
Ethernet II (Packet Length: 120)
Destination: 00-40-f4-a2-7a-a7
Source: 00-10-dc-fc-81-07
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 1
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0x2352 (Correct)
Source: 192.168.1.10
Destination: 68.238.18.137
Internet Control Message Protocol
Type: 8 (Echo Request)
Code: 0
Data (68 bytes)

Binary dump of the packet:
0000: 00 40 F4 A2 7A A7 00 10 : DC FC 81 07 08 00 45 00 | .@..z.........E.
0010: 00 5C 4E 55 00 00 01 01 : 52 23 C0 A8 01 0A 44 EE | .\NU....R#....D.
0020: 12 89 08 00 09 FF 02 00 : EC 00 00 00 00 00 00 00 | ................
0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0040: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0050: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0060: 00 00 00 00 00 00 00 00 : 00 00 2F 70 6C 61 69 6E | ........../plain
0070: 3B 20 63 68 61 72 73 65 : | ; charse


-----------------------------------------------------------------

anyone got any ideas? oO

 

[wittor]

format c

and install ur firewall and stuff again

 

[Boomeruk]

arf

ive got like, 4 years of stuff on here i cant replace, and no form of backup

next suggestion?

 

[IainC]

arf

ive got like, 4 years of stuff on here i cant replace, and no form of backup

next suggestion?

Backup more often.
Then boot to DOS. fdisk, fdisk /mbr, and format c:

 

[Elewyth]

arf

ive got like, 4 years of stuff on here i cant replace, and no form of backup

next suggestion?

get winzip buy a cheap 2nd HD and zip and save what you need... i bought a 80gb HD for £40 the other day.. and really you HAVE to format... ill see if i can dig up the .ini files he might be using to get u... it re-installs itself on each reboot.. also look in your PREFETCH directory and remove any unrecognised .pf's in there.. thats one way he keeps getting re-activated so to speak..

 

[Elewyth]

Ports: 12361, 12362, 12363
Files: Whakmole.exe - 314,636 bytes Whakamole170.exe - 357,455 bytes Whack.exe -


have a look for these files on your Pc and aslo ues a registry cleaner theres plenty of good free ones out there.

 

[Comos]

Boomeruk, dunno what he is using know, but most likely he was using SubSeven before, or a similar Trojan. This one basicly allows the hacker to do ANYTHING with the victims pc using a user-friendly kiddy interface. Absolutely anyone can use it, cuz I've seen how it works. It's a pretty dumb noob program and should be spotted by NAV, although there may be newer versions now.
Do as ppl told you here, backup what you need, format your hdd. And better double scan everything you backupped as well, before you restore it

 

[Prudil]

Contact his ISP (abuse email) and attach your firewall logs (it's important to report date/time, since hes a DHCP user). Here is what a WHOIS search tells me about the "intruder":

OrgName: Verizon Internet Services
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 68.236.0.0 - 68.239.255.255
CIDR: 68.236.0.0/14
NetName: VIS-68-236
NetHandle: NET-68-236-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NSDC.BA-DSG.NET
NameServer: GTEPH.BA-DSG.NET
Comment: Please send all abuse reports to abuse@verizon.net.
Comment: DO NOT send e-mail to DIA.ADMIN@verizon.com as it will not be answered.
RegDate: 2003-07-18
Updated: 2004-11-01

NOCHandle: ZV20-ARIN
NOCName: Verizon Internet Services
NOCPhone: +1-703-295-4583
NOCEmail: IPNMC@gnilink.net

OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-214-513-6711
OrgAbuseEmail: abuse@verizon.net

OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services
OrgTechPhone: +1-703-295-4583
OrgTechEmail: IPNMC@gnilink.net

-------------------------------------------

Send complaint to the following address: abuse@verizon.net

Check your system with the following command to see "open" connections/prosesses associated with the connection etc, port numbers/ip addresses etc:

netstat -nobv (requires WinXP)
netstat -na (W2k and older)

Terminate any suspicious prosesses, search for the name of prosesses in your local registry using "ctrl+b" in regedit. Delete ANY assosiations witht the prosess.

If this doesnt help report it to your own ISP's abuse-team and make them escalate it to verzion.net. This shoud result in this guy suddenly loosing his ISP connection (banned)

 

[Boomeruk]

i found the backtrace/whois button on my firewall and it gave me that info prud..

i'll called verizon.net in the us and spoke to some cool american bloke who said he'd investigate it.

I then got a call at 4am saying they have been following him for quiet some time, apparently a lot of the stuff he did was untraceable, but when he did it to me, he left himself wide open for some reason

now for the time being he's isp'less

as for the kak he had on my system, its well gone, a friend came round and we systiatically found the files and deleted them in safemode (and found the file he used to install them on me) was a small file in my c:\documents and settings\administrator\local settings\temp dir

called winamp-sp1-2353.exe, extracted and executed that safley away from my network in quarentiene, was undetectable by everything, norton didnt pick it up, neither did ez virus scan.... F prot got it in the end, we looked at it, was pretty nifty to say the least, it extracted several files to my system32 dir.. and re-installed the trojan, but this time we got a log of everything it did so we could remove it properly and find anything we missed

now all my ports are stealthed and my firewalls / fprot live scanner are working a treat... cheers for all the info guys

 

[Huntingtons]

i found the backtrace/whois button on my firewall and it gave me that info prud..

i'll called verizon.net in the us and spoke to some cool american bloke who said he'd investigate it.

I then got a call at 4am saying they have been following him for quiet some time, apparently a lot of the stuff he did was untraceable, but when he did it to me, he left himself wide open for some reason

now for the time being he's isp'less

will he be trialed?

 

[Mojo]

arf

ive got like, 4 years of stuff on here i cant replace, and no form of backup

next suggestion?

Format c:\ is what people do when they cannot fix the problem.

You could instal zone alarm to find out all them names of the processes trying to access the internet, you could also run a search for all services currently In use on your PC.

The reason he has access is because something is running on your pc to allow that access, you need to find out what that is and turn it off. Because ZA blocks outbound traffick by defualt it will give u a simple way to check.

Imo install Zone Alarm, set security to high, write down the names of all programs/services trying to access the internet over 1hr or so then research them using google. If using XP install SP 2.

Pretty simple stuff for anyones tech level.

Purchase some AV software and keep it up to date. be weary of free software claiming to be trojan scanner, make sure it is, if it's any good and legit people will be discussing it on forums etc, if not then the same applies

/format c is for people who either dont know how to fix things or cant be arsed to fix things, its an absolute last resort IMO.

btw you could juist copy 4 years worth of stuff off before you rebuild

 

[LordjOX]

Christ dude ;o

 

[Jayce]

as for the kak he had on my system, its well gone, a friend came round and we systiatically found the files and deleted them in safemode (and found the file he used to install them on me) was a small file in my c:\documents and settings\administrator\local settings\temp dir

called winamp-sp1-2353.exe, extracted and executed that safley away from my network in quarentiene, was undetectable by everything, norton didnt pick it up, neither did ez virus scan.... F prot got it in the end, we looked at it, was pretty nifty to say the least, it extracted several files to my system32 dir.. and re-installed the trojan, but this time we got a log of everything it did so we could remove it properly and find anything we missed

now all my ports are stealthed and my firewalls / fprot live scanner are working a treat... cheers for all the info guys

Now please send this infomation to Norton and ony other AV or Spyware compant you know of so they can update thier defs to get this particular program looked for and dumped before it does any harm.

 

[Boomeruk]

Now please send this infomation to Norton and ony other AV or Spyware compant you know of so they can update thier defs to get this particular program looked for and dumped before it does any harm.

done, i sent norton a contained version of the exe for them to look at and investigate why it got through without a blip., but didnt get past Fprot (with much older defs)

 

[Ingafgrinn Macabre]

Verizon..... I've been portscanned many times by a similar ip address (might even be thesame one) also traced back to the verizon iprange...
That ISP should check their users a bit better cos I think there are some pretty active hackers amongst them.

 

[Boomeruk]

frikkin huge isp tho

 

[Comos]

/format c is for people who either dont know how to fix things or cant be arsed to fix things, its an absolute last resort IMO.

excuse me, but there's nothing wrong with formatting when the situation is as serious as this. Just because it's an easy solution, doesn't mean it's not a good one. At least by formatting you're ABSOLUTELY sure you got rid of the sh*t they got on your pc, there's no way of knowing you're fully safe if you followed all the steps, checked the logs of the programs that reïnstall the trojans, etc. All you need is a backup of your important files, then a format is the most secure way of getting rid of the problem. If you followed a bit of the news around Half-Life 2 before its release, you should know that the first thing the ppl at valve did after they got hacked, was reformat their hdd's. And it's not like they wouldn't know how to fix the problem, it's cuz they wanted to be absolutely sure they were secure.