Hacker Attack

Hey guys!

I consider myself fairly good at keeping our computer systems free of malicious software and hackers. NOT! Even with all of my computer background (been in the field since 1972!) two of my computers were hacked last night.

Here are the symptoms:

1. I went to log in, the computer asked me for my password three times.
2. System locked up.
3. Upon reboot I was greeted with no way to log in. (ie: no user account available to click on to log in to.)

The first system (laptop) I took the HD out and put it on a back-up system. The hacker used a Macintosh to get into my system (there is a Network_Services folder with nothing but Apple software in it which wasn't there before). They used Boot Camp to repartition my hard drive. Haven't finished reading through everthing in that folder yet, but this is what I've gotten so far.

The second system was my web server. Looks the same. New Network_Services folder. I've shut down both systems.

I've heard that if you have a backup of the registry you can overlay the new files with the old files and you can get your system back. Is this true? Or should I just rebuild the system again. (Ugh.)

Also, I've noticed that most programs will do a lot for the current system - but not many of them will do anything if you have the disk drive plugged in to a USB port. :-/

Anyway, any ideas would be appreciated.

Also, I immediately changed the passwords on the router and I've got mac filtering turned on. I say this because someone broke into our systems before via the wireless. Since I did not have mac filtering on before this (went from WEP to WPA+PSK and now WPA+mac filtering), I'm thinking it is the same person with new software attacking again.

Last question: Is there any software out there that will monitor your system and when anyone tries to log into your system it automatically kicks them back off? (Like it checks all accounts and only the active accounts can log in. This would keep someone from coming in under something like Network_Services.)

Oops! Last, last question: What are the best settings for the security policies? I thought I had everyone excluded from logging in to the system unless you were on the console - but obviously not!

Thanks again!

 

Hey guys and gals! I thought about it during the day and I wish to withdraw my request for help. I'm going to just suck the data/programs off of the drives, reformat, and reinstall the OS. (Oi-vey! The security patches I'm going to be downloading tonight! )

Anyway - this is a "nevermind". Thanks for reading though.

Also, I was reading through a lot of the posts today and the "Don't Bump it!" message. (Which, I guess that's what I'm doing with this - so sorry about that!) I'm a programmer and I was thinking that maybe I could help out a bit by writing a program that takes the incoming logs, examines them, and pops out some kind of a standardized message that could be posted back to the board. Nothing fancy, but I was thinking along the lines of compiled Perl or maybe AutoIt code. Let me think about it some more (because I need to read more of the responses which have been posted to other people's problems), but I may be able to come up with something that will help to lighten the load a bit. There has to be a lot of repetition to finding the problems and something that can generate either plain text or html info has to be a lot better than having to retype or re-copy/paste things to people.

Anyway, just a thought and I first have to get my laptop back up and running. (Which should just take most of a day because of all of the downloads.) I'll report back on one of the other boards more appropriate (like the software or programming boards) - unless you guys want me to post here.

Later! and thanks again for reading.

 

Re: Hacker Attack - update

I thought I'd post an update to my situation. Just for reference in case anyone else gets hit by this.

Original situation: Someone hacked into my development laptop via local_services and then network_services. They then installed BigBrother which disguised itself as alg.exe which then tried to take over the computer. They also did this on my e-mail/web server. This joker has tried this before in the past and I suspect it is someone who lives in and around our area because they are coming through our wireless connection. The first time I went from a free/open wireless router to one with WEP. Next break in - changed passwords and took the router off of the broadcast SSID. Third break in - we went with WPA+PSK, took him over four months to break that password. So now I've turned on Mac IP filtering as well. I'm sure the guy is using AirJack to break in. It's one of the few hacker tools I've researched and which looks good enough to figure everything out. Anyway, previously I've had to re-install the OS et all again so last time I made a complete system back-up of the OS et all (which is what I am using to restore everything presently).

To combat this problem I removed the hard drive from the laptop and the server and put them into USB containers so I could work on them from a third system. The one thing I was not expecting was that the software would jump from the USB drive to the third system's hard drive. (That'll teach me to trust AVG/ZoneAlarm to protect me from this malicious software! ) I had the task manager up and running when I did it just in case and I managed to click->End Task quickly enough so that it didn't take over that system. I then quickly rebooted into safe mode and used an alternate account to log in to (just in case), monitored via task manager, and the program did not try to install. Still, in the few seconds it had tried to install, it managed to disable some parts of Windows.

I've managed to pull all of my work off of the laptop's disk drive, reformat the drive, and am in the process of restoring my backup. Once that's done I'll restore my software I was working on and I'll be back to where I was when this whole thing began.

So here is my advice to anyone who gets a call from this hacker:

1. Don't panic! You can overcome this. If you have another computer, then Google "+bigbrother +true +sword" and click on the link about manually removing the program. That link has all of the files you will have to get rid of to get rid of the malicious software. (There are probably other places you can go, but that is where I wound up.)
2. Immediately bring up the task manager and kill alg.exe/bigbrother to put a stop to the program from damaging your system. Leave it up and running because the alg.exe program tries to start back up again. So you may have to kill it several times while doing the following.
3. Go to "My Computer" and right-click on the icon. Select the "Manage" option. If you have disabled your Administrator account, re-enable it. Stay in this program while you do the next thing to prevent BigBrother from modifying it again. Be sure to right-click on the administrator account and re-type in the password so you can get into it.
3a. If you do not have an Administrator account - create one. You can do this by right-clicking anywhere in the open dialog where it shows your accounts. Just fill in the information in the dialog and click the Create button. Once it is created you must right-click on the entry and select "Properties". Click on the "Member Of" tab. When the new dialog is shown, click on the "Add" button. Then click on the "Advanced" button. Click on the "Object Types" and make sure all boxes are checked. Click "Ok". Click on "Find Now". Select "Administrators, Power Users, Users, and Backup Operators". (You may have to click the "Ok" button between some of these selections because of how Windows does the selection.) Your Administrator login should now be set up. All you have to do is to click the "Ok" button until you are back to the main dialog again. DO NOT get out of this program as that can trigger the alg.exe program to start up again.
3b. Windows XP Home probably will not let you do the above. In this case, go to Start->Control Panel->Users and create the administrator's account. Again - do NOT get out of the program. It will shut itself down when you shut down the entire system. This will prevent alg.exe from popping up and modifying your entries. Thus locking you out of the system.
4. Start->Turn off Computer->Restart. Begin taping the F8 key and bring the computer up in Safe Mode (first option). Log Into the Administrator's account.
5. Immediately bring up the task manager after you log in to the account. If you see bigbrother/alg come up under the "Process" tab - kill it immediately. Keep doing this until it doesn't come up anymore.
6. Using the list of files you got back at #1 above, find and remove those files. Use your head. If the file is in the c:\windows\system32 directory - then those are probably the actual files that should be there. If the file is anywhere else - then that file is probably a part of the malicious software.

This should get rid of the files. However! This doesn't mean that you are safe yet. It just means that you managed to get rid of the files that are trying to take over your system. What you should do next is:

1. If you do not have a back-up of your system laying around; now is the time to go buy that cheap 320GB hard drive and an external USB case for it (or one of the already put together external USB 320GB hard drives). Why so big? Because you may need the space.
2. Set-up, turn-on, and plug in the external hard drive. Be sure to have the task manager up and running so you can watch for BigBrother/alg. If they pop up - kill them.
3. Microsoft provides (and so does the external hard drive company sometimes) a back-up program. Or if you have WinZip - you can use that. Either way, back up your system to the external hard drive. We do this so we can get back all of your e-mail and other documents you may have on your hard drive.
3a. Microsoft's hard drive back-up program can be found by first clicking on Start->My Computer (or just double-clicking the "My Computer" icon) and then right-clicking on the C:\ drive's icon. Select the "Properties" option. A dialogue box will open and you can click on the "Tools" tab. At the bottom you should see the "Backup" option. Click on it and follow directions. If you have Windows XP Home you may have to get out the CD, do a Start->Control Panel, and use the Add/Remove Programs option to install the backup software. (I don't have Windows XP Home so I've heard that this is the case.)
4. Once you have your backup of your ENTIRE disk drive (bad stuff and all), you are ready to re-install your system. Get out your CD and reinstall the OS. Don't forget to reformat your disk drive (NOT the quick format - but the long, painfully slow format) so it wipes out all traces of the malicious software.
5. You will have to re-install ALL of the software you had on your system (because we do not use software which might now be infected) - unless - you had a earlier backup of your system. In that case - just restore that backup. Not the backup we just made - but an EARLIER backup. Otherwise, you have to reinstall everything.
5a. Don't forget that you have to set up your user account. If you change the name on the system, then the backup part may not work properly.
6. Using the backup software you used earlier, now restore your files and folders from the c:\Documents and Settings\<your account name> folder. Don't forget that the "All Users" folder may need to be restored also.
7. You should now be ready to......wait for it.....backup your system again! That's right - now you should have a safe and stable system. To ensure that you don't have to go through all of this again - and since the backup drive is still connected to your system - why not make a valid backup now that you could use in the future? Sound good? I know - it's a pain in the rear - but you'll thank me for it later!

So now you have the backup with the virus/program in it and a backup which should be clean with no virus/program in it. You can get rid of the backup with the virus/program in it or you can keep it in case there is some other file(s) that you may need but didn't think of needing it. (That's what usually happens to me. I delete and then go "OH SH@#%$$!&*@#!!!!!!" So don't do that -be smart and keep the bad backup. Just change the label to read something like "Virus Backup mm/dd/yyyy" and put it in a folder labeled "Bad Backups!" or something like that and go on down the road.

So there you have it! What happened, how I'm solving the problem, and what to do to help you. Have a great day! I hope this helps someone. Later! :cool

 

Quickie to TimW

Yep. Did that but I couldn't even get into the system/disk drive from the laptop to do any of the steps. (See recent post. - Also I'm typing this from work and it's my home computers (or maybe I should say my home business computers?) that had the problem.)

So yeah, I was originally asking for help - but - then I remembered this person from before and I went - oh yeah. Nowwwwww I remember. Actually, now that I have paused for a sec - it's been more like a year and four months since the last break-in. I do the full 65 character password on the WPA-PSK stuff. So I guess he's been working at breaking in for a while now. I'll just have to make it an every six month thing to change the password on the wireless.

Another one of those "Doh!" things.

Anyway, Thanks again. You guys rock! I found another thread here about the "I can't get to the AVG website" and how to fix that. I had a friend who had that problem and we wound up re-installing her system. Can't believe it's such a simple fix. Wish I had of looked here first. Oh well, she's happy. Did the backup-re-install-restore thing with her as well. (Hey! If nothing else I'm getting faster and faster at doing the installs!)

Later! :cool