Eternal
22-07-06, 23:33
Forum: Countermeasures
have been hacked and needing help? try to request here.
Well first off, it's a dear friend who got hacked - so I am trying to fix his PC, hope that also counts as 'I'am been hacked':
Well, my friend has 10mbit u/d connection on 3 boxes with ip's open to ouside (no internal/router ip's), so it can get serious as it's more attractive to hackers;
What have i found, something is running behind a rootkit. After some google and info on this forum, i found info about rkdetector, good - executed and all gave me (may differ dont remember exactly):
ROOTKIT HACKER DEFENDER v 0.82 FOUND = PATH NOT AVAILABLE
And that is was installed as 1 running rootkit. So question 1; I know it runs, even if I kill it, how am I able to get the path to delete the hidden files.
Well, still concerned i spend another night trying to get as much info to supply so details won't be any problem. I've been looking for last-modified files, maybe that gave me info. Yep it gave me some more info:
I have found:
c:\WINNT\system32\Driver Cache\COM1\
well wtf did i think, COM1, tried to del, but it just didnt go away.
Assuming his files or part of his files are running in there, tried killing com1 as proces with allround killing apps. Nothing. well, i grabbed an old p75mhz, set quick disk image from an old backup of mine and started to make a COM1 dir myself too.
Not worked, how can they run a file in a dir not accesible/writable??!?!
Looked taskmanager for suspicious processes running, nothing - checked bw for in/outgoing traffic, all seemed idle. Googled again, did netstat for listening/active/established ports; looked up ip's, all seemed normal.
Well, being damned tired after posting, i hope you got enough info to answer my question, cause spending too much time on someone else's pc sux :).
thx for yor time, and upcoming replies :)
-ps, never knew class101 coded rkdetector, iam sure he has some answers :)
have been hacked and needing help? try to request here.
Well first off, it's a dear friend who got hacked - so I am trying to fix his PC, hope that also counts as 'I'am been hacked':
Well, my friend has 10mbit u/d connection on 3 boxes with ip's open to ouside (no internal/router ip's), so it can get serious as it's more attractive to hackers;
What have i found, something is running behind a rootkit. After some google and info on this forum, i found info about rkdetector, good - executed and all gave me (may differ dont remember exactly):
ROOTKIT HACKER DEFENDER v 0.82 FOUND = PATH NOT AVAILABLE
And that is was installed as 1 running rootkit. So question 1; I know it runs, even if I kill it, how am I able to get the path to delete the hidden files.
Well, still concerned i spend another night trying to get as much info to supply so details won't be any problem. I've been looking for last-modified files, maybe that gave me info. Yep it gave me some more info:
I have found:
c:\WINNT\system32\Driver Cache\COM1\
well wtf did i think, COM1, tried to del, but it just didnt go away.
Assuming his files or part of his files are running in there, tried killing com1 as proces with allround killing apps. Nothing. well, i grabbed an old p75mhz, set quick disk image from an old backup of mine and started to make a COM1 dir myself too.
Not worked, how can they run a file in a dir not accesible/writable??!?!
Looked taskmanager for suspicious processes running, nothing - checked bw for in/outgoing traffic, all seemed idle. Googled again, did netstat for listening/active/established ports; looked up ip's, all seemed normal.
Well, being damned tired after posting, i hope you got enough info to answer my question, cause spending too much time on someone else's pc sux :).
thx for yor time, and upcoming replies :)
-ps, never knew class101 coded rkdetector, iam sure he has some answers :)