[Courses] [security] fun with my hacked Windows box.
wynde'nai
wyndenai at otherkin.net
Thu May 16 13:38:55 EST 2002
I know this is a Linux forum, but I've been forced to practice my hand with
some stolen-from-*nix tools after noting a funny netstat line (this was
actually related to studying for my Networks final tonight) on my Windows
box this morning. I'm rather curious as to what sort of crack this is from
the information I have.
My machine tries to connect out to zero.tinysw.cz when I boot. Due to the
nature of our DHCP server and password authentication stuff, this doesn't
work until I actually log on. Apparently it's fairly persistent, as it
eventually goes through. Then TCP connections are made to someones with a
dynamic IP at tampabay.rr.com, attbi.com, and somewhere in France. If I
catch the first incoming message, i can completely block the traffic with
my ipchains-like tiny personal firewall (courtesy Raven's husband ;) ).
Whatever process is doing this is hidden, or renamed-something-normal. With
WinDump i can see what's coming in, which contains occasional messages much
like the following screen-capped and retyped one (silly msdos window no
cutty-pasty)
05:34:09:394700 c-66-176-234-97.se.client2.attbi.com.2768 > (my fully
qualified hostname).6346: S 1959770347:1959770347(0) win 16484 <mss
1460,nop,nop,sackOK> (DF)
----
I then got the IP for the original connection, and have all incoming and
outgoing traffic to it blocked. On reboot, I don't have any of the above
connections, as the original "I'm here" message never got through. So my
system appears to be functioning as if it were not compromised, but there's
still something on here :(.
which begs a few questions.. What does this mean, is it worth trying to
report it in light of the .cz domain, and what do I do about it without
nuking my baby.
(which I did not 6 months ago for similar reason and causing me to grab
this stuff. I am willing to do it again, but...
I am not happy. )
grah.
More information about the Courses
mailing list