 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Countermeasures Have been hacked, prevent hacker, request help here |
Got hacked.This is a discussion on "Got hacked." within the Countermeasures part of the Computer Security: Discussions section; Forum: Countermeasures have been hacked and needing help? try to request here. Well first off, it's a dear friend who got hacked - so I am trying to fix his PC, hope that also counts as 'I'am been hacked': ... |
 |
| | LinkBack | Thread Tools | Display Modes |
22-07-06
| |||
| |||
 Got hacked. Forum: Countermeasures have been hacked and needing help? try to request here. Well first off, it's a dear friend who got hacked - so I am trying to fix his PC, hope that also counts as 'I'am been hacked': Well, my friend has 10mbit u/d connection on 3 boxes with ip's open to ouside (no internal/router ip's), so it can get serious as it's more attractive to hackers; What have i found, something is running behind a rootkit. After some google and info on this forum, i found info about rkdetector, good - executed and all gave me (may differ dont remember exactly): ROOTKIT HACKER DEFENDER v 0.82 FOUND = PATH NOT AVAILABLE And that is was installed as 1 running rootkit. So question 1; I know it runs, even if I kill it, how am I able to get the path to delete the hidden files. Well, still concerned i spend another night trying to get as much info to supply so details won't be any problem. I've been looking for last-modified files, maybe that gave me info. Yep it gave me some more info: I have found: c:\WINNT\system32\Driver Cache\COM1\ well wtf did i think, COM1, tried to del, but it just didnt go away. Assuming his files or part of his files are running in there, tried killing com1 as proces with allround killing apps. Nothing. well, i grabbed an old p75mhz, set quick disk image from an old backup of mine and started to make a COM1 dir myself too. Not worked, how can they run a file in a dir not accesible/writable??!?! Looked taskmanager for suspicious processes running, nothing - checked bw for in/outgoing traffic, all seemed idle. Googled again, did netstat for listening/active/established ports; looked up ip's, all seemed normal. Well, being damned tired after posting, i hope you got enough info to answer my question, cause spending too much time on someone else's pc sux  .thx for yor time, and upcoming replies -ps, never knew class101 coded rkdetector, iam sure he has some answers  |
| Sponsor | ||
| ||
| |
|
22-07-06
| |||
| |||
| additional info: he runs some website and a database for his administration so formatting is not really an option he said. It's disconnected now but we can connect it again ofcourse. Tested it on all 3 pc's and all said that rootkit defender was running, probably the network still has many holes. |
|
01-08-06
| |||
| |||
| Portscan Did you do a portscan ? Download nmap and post the results.If its a backdoor it should run on some port. |
|
06-08-06
| |||
| |||
| No, remember ROOTKIT HACKER DEFENDER v 0.82 FOUND = PATH NOT AVAILABLE so even if it has ports, they are hidden! I wanted to figure out how can they execute a program where the windows normally has no access to, iam even admin-privileged! Tried resetting atributes and admin permissions, all not worked, walked around a bit and again tried making COM1 test dirs and remove them, not worked. I googled a bit and found some interesting tools, wich delled them eventually. Still, if I turn that computer back on and plug-in that internet cable, it is like 100% that someone can enter my computer somehow, cause the real problem -the leak- is NOT fixed. I know how to delete them now with the tools, but want to reverse that too, by understanding how the intruder worked on the computer to prevent further future problems. Haven't found on google that programs are executable in COM1 dirs, who knows whats more behind it if i did not delled them?! Alot of space is free now too, still need to know, how are they starting that crap in com1 dirs?! |
| The Following User Says Thank You to Eternal For This Useful Post: | ||
class101 (23-10-07) | ||
|
06-08-06
| ||||
| ||||
| this is just an old hacker trick, to create such folders com1, nul, etc do the command lines: mkdir c:\\com1\\ mkdir c:\\com1\blabla remove it with: rmdir c:\\com1\blabla rmdir c:\\com1\\ Such directories are often used by hackers as a last protection against the newbie administrators. note: I think you did mentionned I had coded rkdetector, this is wrong , this tool is from Andres Tarasco from the haxorcitos group. |
|
09-08-06
| |||
| |||
| ahh thanks for clearing that up. no i did not mentioned u coding the rkdetector, but the hxdef rkit. in viewtopic.php?t=481 ur reply had, not to the old times i created hxdef or smth . |
|
23-07-08
| |||
| |||
| Re: Got hacked. or just backup && reinstall? would be the best thing |
Linear Mode
