• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Got a hacked computer

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
j7
Just Arrived
Just Arrived


Joined: 12 May 2005
Posts: 0


Offline

PostPosted: Sat Feb 06, 2010 7:01 am    Post subject: Got a hacked computer Reply with quote

Hi,

I am pretty sure I have a hacked computer. Windows 7 OS. I found a profile folder named TEMP created on Jan 3, 2010. The folder is c:\users\TEMP

Underneath that folder are the usual folders like AppData, Documents, Music ... etc. But they are all empty.

Now I have lots of questions:

Given that the attacker can create an account, does that mean he has Admin rights ? I checked in Computer Management, the Administrators group consists of 'Administrator' and my admin account. I don't see a user named 'TEMP' in any of the groups.

In Event Viewer, my earliest entry in the Security logs is Jan 22. Because I stupidly forgot to enlarge the log size. Anyways, I can't see him logging in after Jan 22. I found that by filtering the Security log with event ids :4624,4636,4803,4801.

How can I find out HOW he got in? The machine is behind a Checkpoint hardware firewall. And the machine is primarily used for crunching Seti@home workunits. Sometimes I surf a little bit on that machine too, (Opera 10.10 is my browser) But 80% of the time it is running Seti. So did he come in via a vulnerability in Seti ? Seti@home downloads work from their server and reports back results when workunits are done, and a workunit can take up to 1 day to do. So communications is infrequent. In order to bypass the firewall, I understand one can spoof the source address, but this can only work within a short period when Seti@home is actually communicating with the server, am I right ?

In the Event Viewer, I understand event ID 1000 and 1002 are for Application Hang and Application Error. Both custom views show no entries. So Seti@home didn't cough and choke at some point.

I think it is unlikely that the attacker got in through a weakness in Opera. Because I have labeled it a low integrity app, using the tool 'chml'. So it is running in Protected Mode, just like Internet Explorer. And even if he did get a cmd window, he can't run most of Windows' command line tools because of other lock downs that I've made.

Netstat says the listening ports are 135, 49152-49156. Maybe he got in thru those ports? I understand 135 is used by RPC. And I don't know what the other ports are for.

Apart from knowing how he got in, I wish I could dig out some of his tools, if he brought along any. But his folders are empty. Or perhaps he could have hidden them away in alternate data streams ? I don't know how to find ADS items either.

Another question is if he installed a backdoor. Since he created an account, there must be a way of getting back in. How does one find that?

I think this attacker is a smart one, cause he picked a machine that is infrequently used. And usually I just quickly log in once a day to see if Seti@home is ok.

What else should I be doing/looking for?
Back to top
View user's profile Send private message
j7
Just Arrived
Just Arrived


Joined: 12 May 2005
Posts: 0


Offline

PostPosted: Sun Feb 07, 2010 5:06 pm    Post subject: Reply with quote

It appears that the attacker wrecks things. Maybe he did that upon my discovery of his intrusion or maybe he wrecked things since he gained entry.

Internet explorer cannot connect to the internet now. And the IE web button to 'diagnose connection problem' also fails with an error: 0x800706BA.

Opera doesn't load properly when set to low integrity. It would appear in task manager running processes, but not show up on screen.

I probably broke forensics rules by attempting to fix these 2 problems. I reinstalled both programs but the problem remains. I have read that one should make a copy of the HD and work from there, but I don't have a spare HD. And procecusion is not the goal, just education.

I also ran an 'undelete' utility to see what was erased, and didnt find any exe's. So the attacker may have been careful not to leave traces.

Forgot to mention above that I use a standard user account for day to day running of Seti@home. And only use the admin account when necessary.
Back to top
View user's profile Send private message
j7
Just Arrived
Just Arrived


Joined: 12 May 2005
Posts: 0


Offline

PostPosted: Sun Feb 07, 2010 6:58 pm    Post subject: Reply with quote

It seems all modules of 'Trouble Shooting' in Control Panels fails with the same error code above.

System Restore times out creating a shadow copy.

SFC /SCAN NOW validated all its programs successfully.
Back to top
View user's profile Send private message
j7
Just Arrived
Just Arrived


Joined: 12 May 2005
Posts: 0


Offline

PostPosted: Sun Feb 07, 2010 8:19 pm    Post subject: Reply with quote

Found some directories with an earlier date : Dec 13, 2009. Like \Appdata\Roaming\Microsoft\System Certificates" and \Appdate\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories"

So now it seems that the attacker gained entry on Dec 13, 2009.

The method that he foiled System Restore didn't take into consideration that when booting from the Win7 DVD and doing a System Restore from there, it doesn't seem to create this 'Shadow Copy'. I was able to restore the system to Dec 31, 2009. And the 2 programs works correctly now. He could have tried to delete the restore points entirely, but maybe he was unable to obtain SYSTEM account rights necessary to do so, or he deliberately left me a way out.

However, seeing that he created the profiles folder on Dec 13, and could have initially gained entry earlier still, this still leaves the possibility of him having installed a backdoor. And my earliest restorable date was Dec 31. And, there may be other things that he has wrecked and installed which awaits discovery.

The attacker is experienced, and appears to have waited for some time before wrecking functionality obvious to the eye.
Back to top
View user's profile Send private message
sheik_in
Just Arrived
Just Arrived


Joined: 16 Nov 2009
Posts: 0


Offline

PostPosted: Tue Feb 09, 2010 8:32 am    Post subject: Reply with quote

Hey J7.. Are you sure your computer is compromised. I suspect it could be some kinda virus.
Back to top
View user's profile Send private message Yahoo Messenger
j7
Just Arrived
Just Arrived


Joined: 12 May 2005
Posts: 0


Offline

PostPosted: Tue Feb 09, 2010 8:25 pm    Post subject: Reply with quote

I think it is not a virus because viruses do not create user accounts. And I hardly do anything with it except browse to forums. Now I understand that even well known sites can get hacked and install malware, but it doesnt explain the existance of the new user account.

I ran a scan with Comodo antivirus and MalwareBytes, both found nothing.
Back to top
View user's profile Send private message
JRBTech
Just Arrived
Just Arrived


Joined: 23 Apr 2010
Posts: 0


Offline

PostPosted: Fri Apr 23, 2010 3:43 am    Post subject: Reply with quote

j7,

I know it has been a while since you posted, but just wanted to let you and anyone else that looks at this thread know that the c:\users\TEMP account is used when Windows has a hard time logging you into the system. It is a default account created by Windows 7 and is only used until your profile can be reconnected.

All other issues seem to point to a possible malware attack, but if the account is the only thing truly worrying you, then you should rest at ease.
Back to top
View user's profile Send private message Visit poster's website
verdur0211
Just Arrived
Just Arrived


Joined: 03 Mar 2011
Posts: 0


Offline

PostPosted: Fri Mar 11, 2011 12:01 pm    Post subject: Got a hacked computer Reply with quote

Install avast.com now. Once installed, you will need to enable a boot time scan. Once you enable the boot time scan, restart the computer. It takes a while.Another route is to go ani malware bytes, but that's only if you have xp. If you have Vista or Win 7 is to use a boot time scanning with avast. only problem is if the system files are corrupted, then you need to reinstall Windows, no matter what you do. free download avast and tell it to delete eveything that appears.Avast is much better than AVG . I switched to avast. avast is probably the # 2 anti-virus software is now # 1 if it is free antivirus.
Back to top
View user's profile Send private message
Sheena
Forum Fanatic
Forum Fanatic


Joined: 24 Jun 2011
Posts: 16777215


Offline

PostPosted: Fri Jun 24, 2011 4:35 pm    Post subject: Reply with quote

are you sure ... ? may be there is some thing wrong with the systen or there is some kind of virus ?
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register