Finally back!

[DreemWarrior]

Hey everybody!
Wow, it's only been a week since my network was intruded upon, and I havent been in here-or elsewere for that matter-since then.
It feels like much longer!. Anyway, I utilized that time to learn all I could about networking and network security.(havent even scratched the surface, I know) BUt suffice it to say I remedied the situation and dont think that will be an issue( of that magnatude) again. I just wanted to thank all those who shared and helped me with it. I missed you guys*sniff*
You know, I didnt realize just how many PW I would have to change due to all this. What a PITA!( I never use the same one twice)
Oh, well. Alls well that ends well.

 

[Brink]

Welcome back Joey.

I sure hope that you will not have any more security breaches again.

 

[DreemWarrior]

Welcome back Joey.

I sure hope that you will not have any more security breaches again.

Thanks Shawn. You and I both. I never thought networking/commands could be so...interesting. I think I'll be doing most of my work on systems VIA cmd prompt from now on!

 

[zzz2496]

Wow, I read your other thread, what happened? Care to share?

zzz2496

 

[DreemWarrior]

Wow, I read your other thread, what happened? Care to share?

zzz2496

Well, if you read the other thread, you know my network/rig was compromised. It seems someone got in and used windows power shell to run remote commands to copy files and modify windows environment, ect. Even tried rewriting/editing event logs to mask their presence. I was one big proxy server apparently. I stumbled upon part of a script which just happened to have a partial IP along with a computer name(theirs) which after MUCh studying and trial and error (cmd line utilities)I managed to remedy the situation.
And would you believe that somehow in the proccess, it seems THEIR computer admin PW got changed, and the puter remotely shut down? Not sure how that happened
Thats the Cliffs notes version anyway. It took many hrs and plenty of foul language, though...

 

[zzz2496]

Wow, I read your other thread, what happened? Care to share?

zzz2496

Well, if you read the other thread, you know my network/rig was compromised. It seems someone got in and used windows power shell to run remote commands to copy files and modify windows environment, ect. Even tried rewriting/editing event logs to mask their presence. I was one big proxy server apparently. I stumbled upon part of a script which just happened to have a partial IP along with a computer name(theirs) which after MUCh studying and trial and error (cmd line utilities)I managed to remedy the situation.
And would you believe that somehow in the proccess, it seems THEIR computer admin PW got changed, and the puter remotely shut down? Not sure how that happened
Thats the Cliffs notes version anyway. It took many hrs and plenty of foul language, though...

Whew, one hell of a ride, huh? Glad you made it through...

I'm curious, how did the "hacker" get into your network? Did you not have a firewall in place (some box that stands between your network and the internet)?

zzz2496

 

[CarlTR6]

Hey everybody!
Wow, it's only been a week since my network was intruded upon, and I havent been in here-or elsewere for that matter-since then.
It feels like much longer!. Anyway, I utilized that time to learn all I could about networking and network security.(havent even scratched the surface, I know) BUt suffice it to say I remedied the situation and dont think that will be an issue( of that magnatude) again. I just wanted to thank all those who shared and helped me with it. I missed you guys*sniff*
You know, I didnt realize just how many PW I would have to change due to all this. What a PITA!( I never use the same one twice)
Oh, well. Alls well that ends well.

Glad you are back and that all is finally well. That is a real bummer that you had to go through this.

 

[DreemWarrior]

I'm curious, how did the "hacker" get into your network? Did you not have a firewall in place (some box that stands between your network and the internet)?

I was using windows native firewall, as well as the routers firewall, as well as WPA personal for wireless.(WPA2 maybe?)
I honestly believe the script originated from a website maybe. But it initiated a RDC (Remote Desktop Connection) Or thats my hypothesis at any rate. And I did find key/mouse drivers replaced with .sys file extentions. As I said, I dont know that much about the process other than what I learned on the fly. One thing still concerns me though. And it may be purely unrelated. But my desktop display doesnt quite fill my monitor(wide screen). Its lacking like 3/8" from fill, and nothing I've tried helps. Almost like an image of the desktop in the screen. Any guesses on that one?

Sounds like this thread to me...
Very similar to this thread...http://www.sevenforums.com/network-sharing/20284-login-rdp-without-bumping-current-session.html
I wonder how one would scan for something that for the most part ISNT unnatural programs/processes??

 

[zzz2496]

I'm curious, how did the "hacker" get into your network? Did you not have a firewall in place (some box that stands between your network and the internet)?

I was using windows native firewall, as well as the routers firewall, as well as WPA personal for wireless.(WPA2 maybe?)
I honestly believe the script originated from a website maybe. But it initiated a RDC (Remote Desktop Connection) Or thats my hypothesis at any rate. And I did find key/mouse drivers replaced with .sys file extentions. As I said, I dont know that much about the process other than what I learned on the fly. One thing still concerns me though. And it may be purely unrelated. But my desktop display doesnt quite fill my monitor(wide screen). Its lacking like 3/8" from fill, and nothing I've tried helps. Almost like an image of the desktop in the screen. Any guesses on that one?

Sounds like this thread to me...
Very similar to this thread...http://www.sevenforums.com/network-sharing/20284-login-rdp-without-bumping-current-session.html
I wonder how one would scan for something that for the most part ISNT unnatural programs/processes??

Did you put your computer in the DMZ zone? I'm curious as this experience can benefit us all, to protect self from being hacked...

I personally NEVER USE DMZ, and every incoming/outgoing traffic is always logged by my router, and it has it's own traffic log/bandwidth usage log, so whenever I feel the network being slow or if I smell something fishy, I can always review the logs/bandwidth monitor in my router.

zzz2496

 

[DreemWarrior]

Did you put your computer in the DMZ zone? I'm curious as this experience can benefit us all, to protect self from being hacked...

I personally NEVER USE DMZ, and every incoming/outgoing traffic is always logged by my router, and it has it's own traffic log/bandwidth usage log, so whenever I feel the network being slow or if I smell something fishy, I can always review the logs/bandwidth monitor in my router.

Is that what I did? lol I suppose so. So how do I go about SAFELY networking my home office? Or is that an oxymoron?
BTW I just had a peek at your tutorial.Looks WELL informed. I guess I'll curb any further questions until after I study that. I know I need to get rid/uninstall a LOT of network adapters that pose a potential weak link. And yes, I am logging everthing with router as well.
I already put out the bait by being in DMZ I guess!

 

[electricfeel]

hi whoever you are.

 

[DreemWarrior]

hi whoever you are.

Hi electricfeel.
Welcome to our forum.

 

[CarlTR6]

Did you put your computer in the DMZ zone? I'm curious as this experience can benefit us all, to protect self from being hacked...

I personally NEVER USE DMZ, and every incoming/outgoing traffic is always logged by my router, and it has it's own traffic log/bandwidth usage log, so whenever I feel the network being slow or if I smell something fishy, I can always review the logs/bandwidth monitor in my router.

zzz2496

OK, time to show my ignorance, what is DMZ? I know it is different from my military definition, demilitarized zone.

 

[zzz2496]

Did you put your computer in the DMZ zone? I'm curious as this experience can benefit us all, to protect self from being hacked...

I personally NEVER USE DMZ, and every incoming/outgoing traffic is always logged by my router, and it has it's own traffic log/bandwidth usage log, so whenever I feel the network being slow or if I smell something fishy, I can always review the logs/bandwidth monitor in my router.

zzz2496

OK, time to show my ignorance, what is DMZ? I know it is different from my military definition, demilitarized zone.

Yup, that's it... Basically it's a rule in the router that will direct EVERY traffic that is destined to the router directly to the DMZ-ed host. It's the easiest way to be "directly connected to the Internet" through a router. This way you won't have any problem with closed ports (as long it's open in your Windows firewall), you don't need to make a forwarding rule. It's the easy way to get screwed, basically...

zzz2496

 

[CarlTR6]

Thank you, Sir. I understand. I appreciate the answer.

 

[zzz2496]

You're welcome

 

[iseeuu]

Thank you, Sir. I understand. I appreciate the answer.

Hello Carl;

Hey, I ran across this in a router manual recently, and it seemed to explain the DMZ in a way that even I could understand.



Cheers!
Robert

 

[DreemWarrior]

It's the easy way to get screwed, basically...

Truer words have never been spoken

 

[CarlTR6]

Thank you, Sir. I understand. I appreciate the answer.

Hello Carl;

Hey, I ran across this in a router manual recently, and it seemed to explain the DMZ in a way that even I could understand.

View attachment 67924

Cheers!
Robert

Ah, thank you, Robert; now I fully understand. "Preciate it.

 

[zigzag3143]

OK so I had first encounter with a boat load of the buggers. I was setting up a dual boot partition (clean installed) when lo and behold defender pops up and starts to run. Now I know defender doesnt do that so I just hit cancel. Unfortunately the cancel button also spawned more nasties.

Now Im at the point where I cant open task manager, I cant go to any AV web site, and its just launching more and more processes.

I finally had a brain storm. Boot from the other partition and run a virus scan from that partition to the infected one.

After deleting, and removing 77 objects I had a clean (clean) partition.

Not feeling comfortable I re-formatted anyway.. Total time to back online cleanly was about 2 hours.

Always helps to have a win 7 installed on a USB stick. 22 minutes to install.

So be careful


Ken