[Courses] [security] fun with my hacked Windows box.

Raven, corporate courtesan raven at oneeyedcrow.net
Fri May 17 01:12:56 EST 2002 

Heya --

Quoth wynde'nai (Thu, May 16, 2002 at 01:38:55PM -0400):
> My machine tries to connect out to zero.tinysw.cz when I boot. Due to the 
> nature of our DHCP server and password authentication stuff, this doesn't 
> work until I actually log on. Apparently it's fairly persistent, as it 
> eventually goes through. Then TCP connections are made to someones with a 
> dynamic IP at tampabay.rr.com, attbi.com, and somewhere in France. If I 
> catch the first incoming message, i can completely block the traffic with 
> my ipchains-like tiny personal firewall (courtesy Raven's husband ;) ). 
> Whatever process is doing this is hidden, or renamed-something-normal. With 
> WinDump i can see what's coming in, which contains occasional messages much 
> like the following screen-capped and retyped one (silly msdos window no 
> cutty-pasty)
> 
> 05:34:09:394700 c-66-176-234-97.se.client2.attbi.com.2768 > (my fully 
> qualified hostname).6346: S 1959770347:1959770347(0) win 16484 <mss 
> 1460,nop,nop,sackOK> (DF)
 
	That's likely Gnutella.  (A great source for checking port
numbers for things you aren't familiar with -- first, look it up with
the IANA registered ports, then Google to see if it's a port also used
by a well known trojan or backdoor.)

http://www.iana.org/assignments/port-numbers 

is the link to IANA's port assignments.  That's good if you know you're
looking for "whatever is on port 16660".  But if you're looking for
"what ports does AIM use?" I generally find it faster just by googling
for it.

	Are you deliberately running Gnutella?  If so, shut it off and
you shouldn't see anyone trying to connect to 6346 anymore.  (There
might be a few stragglers who haven't got the "she's offline" message
yet, but they shoudl soon disperse.

	That's not to say you didn't get hacked -- from the sounds of
it, you may well have.  Those outgoing connections are likely your box
attempting to connect to an IRC channel or some such thing to let the
black hats know that you're online and available.  If you have any sort
of a protocol analyzer (something like sniffit for Windows, or Snort or
Ethereal for Linux), put it on the same wire, set your port on the
protocol analyzer machine promiscuous, and see what sort of traffic
you're trying to send to those boxen at boot.

	RavenBlack suggests that if you set up Tiny Personal Firewall to
block and log, you will then be able to see port numbers, etc, of those
connections at startup.  From there you should be able to get a better
idea of what it's trying to do.  (My money's still on IRC and/or a DDoS
client.)

> which begs a few questions.. What does this mean, is it worth trying to 
> report it in light of the .cz domain, and what do I do about it without 
> nuking my baby.

	I'd try to report it anyway.  You might not do a lot of good,
but at least you'll have tried.

	Port numbers, etc. will let us know what sort of things you've
got on there.  But as with any compromised system, you run a non-trivial
chance of not catching everything if you don't just format and
reinstall.  That's what I'd do in your shoes.  Sorry.  Back up any
non-executable data if you can, and wipe the disk.  

	The next question is, how did they get in?  Several options here
on a Windows system.  Did you have Tiny Personal Firewall on there from
the first time you put it on the Net?  If not, it's hard to tell when
the hack happened.  (A reasonably good guess is just before you started
getting these messages on boot, but you can't be sure.)  Being on a
high-bandwidth university LAN, your system is in a high risk place.
Firewalling good.  (I'm sure you know this but...) Don't install or run
third-party software that you don't know and trust.  It's easy to bundle
in trojans.  Even executable website content can do it to you.  Anything
you know you installed or ran just before you started seeing this?

	Another slightly less malignant thing this could be is spyware.
Programs like Kazaa, etc. often come bundled with programs to spy on
your website browsing and then report where you go to marketing
agencies.  This is generally a silent thing that there's no way to
opt-out of.  Download and run AdAware from LavaSoft to check your
computer for this sort of thing.

http://www.lsfileserv.com/downloads.html
 
> (which I did not 6 months ago for similar reason and causing me to grab 
> this stuff. I am willing to do it again, but...
>   I am not happy. )
 
	You haven't seen our new place yet, have you?  If you're wanting
to really track this down, bring your box over and RavenBlack and I will
have a go at doing forensics on it.  (The advantages of local geek
friends.)  Ping me offlist if you're interested in coming over and
trying to get to the bottom of this.

Cheers,
Raven
 
"The Eye is mean. The Eye is red.
 He rules nine Riders. They are dead."
  -- Gandalf, from "Green Eggs and Lembas", 
     http://www.tolkienonline.com/docs/4511.html

More information about the Courses mailing list