Unable to stop intrusion?

G

Gibzilla

Gawd
Joined
Oct 26, 2000
Messages
817
As I've said before I'm receiving some serious attacks on my puter. Let me give u the skinny. Since this is a muck-with system with no important data, I've tried 2 distros of linux , winxp and win2k. All fresh install, all compromised with in minutes of fresh install. Whoever is doing this either has hardware level backdoor or works for NSA. Coz this is impossible. Netstat in windows and linux show nothing. Yet my mouse move and programs automatically start and password gets compromised. (come on people I'm not a tard-i know what an attack looks like).

If fdisking and fresh installing ain't helping I dunno what else to do? He/she/them is so good in fact after every fresh install I try to go to antivirus site first like antivir, nod32 or mcaffee(i know I know) and he/she/them blocks me by greying out the buttons or hanging the website and only the antivirus site.

Once again, I'm talking both linux and windows OS'. In ubuntu 6.06 i still don't know how the hell he got complete control of my system including cyphening off my password in firefox with in minutes of fresh install. That's impossible in my book unless he has a supercomputer with custom dictionary attack proggy.

Nothing works. I should try BeOS or Linspire? LOL. I got a fresh burnt cd of slackware 10.2 sitting in front of me but I doubt I'm gonna even try that at this point.

any suggestions?

btw, rootkit revealer and blacklight found nothing.
 
It's time to get drastic. Remove your network card. If it's built into the motherboard, disable it in the BIOS. I'm talking wireless, modem, anything...disable any means of remotely communicating with your PC. If you've got wireless peripherals, put them away for a bit and use a new bargain-bin keyboard and mouse for a bit. Don't give them (if there really is a "them") any way in and they won't be able to touch your system.

Once you've cut off access, blast your hard drive. Get the diagnostic tool from the hard drive manufacturer and run a zero fill on it, and let whatever OS you choose to install take care of partitioning. Randomly generate new passwords (on another computer of course) so that they're impossible to guess.

If you go with Windows XP, make sure SP2 is installed prior to putting it online. Install whatever other security software you're confortable with; I'd recommend at least getting AVG for the virus scanner and installing Spybot S&D so you can immunize it.

Basically, cut your computer off from the outside world, reload it with all new passwords, and then reconnect it and see what happens.
 
1) you want to tell me that after you fdisk and reinstall OS all this happens few minutes later
2) someone waits around 24/7 for your to reinstall OS so they can immediately get through any protection you put up, whether it's OS based, strong passwords etc...
3) then they waste all this effort they put into it and show off by moving your mouse around and generally being non-destructive a-holes

ok... and then you woke up and found yourself living the same old mundane life you lived the day before.

What he describes is impossible and shouldn't even show up in a movie, unless some lame characters are playing the hackers like angelina jolie and the rock :)

put on your tinfoil hat, watch out for black helicopters and go hide in your closet :)
 
The only credible thing I can come up with is that someone may have put a USB wireless remote unit between the cords for your mouse and keyboard, and the ports they plug into. I know this because I've seen it done before to fuck with people. However, this was all in one room. Past that, you're unloading a stinky pile of mendacity.
 
If the BIOS was in Write mode and a virus wrote to the BIOS nothing he has done would stop someone from doing what he claims is going on.

Here is what I would do.

With a non-compromised computer.

Download a clean BIOS for that computer.
Disable or remove all ethernet cards/USB/Wireless cards
USE THIS http://dban.sourceforge.net/ I prefer the Guttmann method.
Clean install the machine with all data via a 3rd transport. USE burned CD's do not connect that machine up to any network untill you have it locked up.

Then and only then would I connect such a machine to another network.


Also it is possible to infect VGA BIOSs and darn near any other EEprom that is writeable. The thing is, its extremely rare these days for someone to do.

I figure he most likely had a bootsector or Bios Virii that an Format wouldn t touch.

Later,

Mackintire
 
Mackintire said:
If the BIOS was in Write mode and a virus wrote to the BIOS nothing he has done would stop someone from doing what he claims is going on.
Click to expand...

Except that BIOS viruses would have to have been a part of a software package that was eliminated on fdisk/format.

The extremely remote possibility is that the virus wrote a payload into the 0 track of the hard drive whilst comprimizing the BIOS. The chance of this track being left in tact at this point is not completely remote, but this vector isn't a good one for root kits, which is the behaviour you are describing.

Additionally, the BIOS has no way of knowing what OS you are running, and therefore has no way of communicating to the payload a particular piece of code to run. therefore it wouldn't really be able to be the end-all-cross-platform monster you're talking about here.

Plausable scenerios are:

1) you're pulling everyone's leg

2) you have a roomate/neighbor with access to your network/system that is totally screwing with you

3) you have the same wireless keyboard and mouse as someone within range of you (i really liked that idea, pigster ;) )

Less plausable scenerios:

1) somehow you're managing to install the same root kit over and over that does have a sophisticated means of detecting an OS

2) you were messing with some low level editor for one of your machine's BIOS (ie video) and allowed a vector in through a binary you loaded

3) everything else

Truth is that there are no recorded incidents of a BIOS based root kit. Doesn't mean they can't exist, but it does mean you're an unlikely candidate for the first one in recorded history. Reason being the attacker would need to have a good idea of the target's BIOS block layout to ensure their virus didn't prevent the machine from booting at all, which means knowing the target. If you're not already suspecting someone, then chances are you don't know someone capable of this kind of a feat (unless you get alot of free software from a russian buddy on IRC or something along those lines).

If you're pulling our leg, good laugh! If not, keep it simple, look for a mouse/keyboard adapter on your machine. If this is an internet based attack, a linux based router would let you know this immediately.
 
I've followed popekevini and stuff seem to die down a bit but I can't be 100% certain. Now that one of you has mentioned bio. I've upgrade to beta bios thinking it was all in my head. Now my bios' pw protected and I've locked down my bootsector against change after my last clean OS install. I don't have wireless keyboard/mouse and I've disabled wireless long ago. attack is coming from outside and he/she/tehm is banging my 1026/1027 port.

i'm getting much spamming on port 1026 from my router about 100x in hour Is that normal? Is this guying trying to exploit dcom/messenger rpc?

I ain't kidding when all these crazy sh1t was happening. my modem(not dial up) light was solid green and I wasn't downloading anything. windows/linux autoupdate was the first one I turned off so it wasn't that.

Does anyone remember back in them days when G'man made motherboard manufacturers to include a tracking code or a chip? What about NSA backdoor incident with windows software in 1999?

I'm heartattack serious.

[INFO] Tue Sep 19 12:27:41 2006 Blocked incoming UDP packet from 202.99.172.163:34833 to mycomputer:1027
[INFO] Tue Sep 19 12:27:41 2006 Blocked incoming UDP packet from 202.99.172.163:34833 to mycomputer:1026
[INFO] Tue Sep 19 12:24:32 2006 Blocked incoming UDP packet from 204.16.208.179:41300 to mycomputer:1026
[INFO] Tue Sep 19 12:24:32 2006 Blocked incoming UDP packet from 204.16.208.179:41299 to mycomputer:1027
[INFO] Tue Sep 19 12:24:32 2006 Blocked incoming UDP packet from 204.16.208.179:41299 to mycomputer:1026
[INFO] Tue Sep 19 12:23:58 2006 Blocked incoming UDP packet from 221.208.208.96:55576 to mycomputer:1027
[INFO] Tue Sep 19 12:23:58 2006 Blocked incoming UDP packet from 221.208.208.96:55576 to mycomputer:1026
[INFO] Tue Sep 19 12:23:01 2006 Blocked incoming UDP packet from 202.97.238.130:41169 to mycomputer:1026
[INFO] Tue Sep 19 12:22:00 2006 Blocked incoming UDP packet from 193.47.186.58:30356 to mycomputer:1026
[INFO] Tue Sep 19 12:21:59 2006 Blocked incoming UDP packet from 24.189.5.114:14675 to mycomputer:1026
[INFO] Tue Sep 19 12:20:29 2006 Blocked incoming UDP packet from 202.97.238.132:52518 to mycomputer:1026
[INFO] Tue Sep 19 12:20:24 2006 Blocked incoming TCP connection request from 61.240.246.143:6000 to mycomputer:7212
[INFO] Tue Sep 19 12:20:24 2006 Previous message repeated 1 time
[INFO] Tue Sep 19 12:19:41 2006 Blocked incoming UDP packet from 202.97.238.131:47257 to mycomputer:1026
 
zrac said:
ok... and then you woke up and found yourself living the same old mundane life you lived the day before.
Click to expand...

I was thinking the same thing but gave him the benefit of the doubt and went through really insane measures to ensure no possible communication, including accounting for...

pigster said:
Your neighbor has the same brand of wireless mouse and keyboard :p
Click to expand...

This was actually my first thought, but didn't know how to break it to him. He seemed so certain he was a target.

Aelfgeft said:
The only credible thing I can come up with is that someone may have put a USB wireless remote unit between the cords for your mouse and keyboard, and the ports they plug into. I know this because I've seen it done before to fuck with people. However, this was all in one room. Past that, you're unloading a stinky pile of mendacity.
Click to expand...

I hadn't thought about this, and was assuming (bad idea, I know) that he'd at least checked his keyboard connections and would have noticed the new equipment.

Mackintire said:
If the BIOS was in Write mode and a virus wrote to the BIOS nothing he has done would stop someone from doing what he claims is going on.
Click to expand...

I don't think a compromised BIOS would allow someone access to his operating systems like that. For that matter, I don't think it'd be capable of external communication at all. I've never even seen a boot sector virus that could compromise multiple OSs, much less do so and then talk to another system via some network protocol.
 
Gibzilla said:
Does anyone remember back in them days when G'man made motherboard manufacturers to include a tracking code or a chip? What about NSA backdoor incident with windows software in 1999?
Click to expand...

As for the tracking code, I'm not sure what you're talking about. Closest thing I can come up with is the P3 serial number, which was Intel's doing, government intervention not included.

The NSA backdoor may or may not even be true--I've never read where the initial reports were confirmed, just that a crypto key called _NSAKEY was found--and unless you were doing something that used CryptoAPI, you'd be safe from it anyway. Besides, that wouldn't explain their ready access to Linux.
 
Tada.......

http://www.linklogger.com/messenger_spam.htm

Looks like messenger spam to me. It also notes that there was a windows XP exploit that allowed the user to take control of your machine. If you patch up and have SP2 installed and filter the garbage with a router, you shouldn t have any problems.

Seriously its as simple as install windows xp upgrade to SP2 (which turns off the messenger service) use a decent router...and your problems should be gone.

Gotta love Google....

Later,

Mackintire
 
Mackintire said:
Tada.......

http://www.linklogger.com/messenger_spam.htm

Looks like messenger spam to me. It also notes that there was a windows XP exploit that allowed the user to take control of your machine. If you patch up and have SP2 installed and filter the garbage with a router, you shouldn t have any problems.

Seriously its as simple as install windows xp upgrade to SP2 (which turns off the messenger service) use a decent router...and your problems should be gone.

Gotta love Google....

Later,

Mackintire
Click to expand...

How does this address his claim that the same thing happens with a Win2K and two different linux distros?
 
You must log in or register to reply here.
Back
Top