January 29th, 2003, 10:11 PM
stupid is as stupid does
Well, I didn't think it's gonna happen to me; ever. I didn't understand (nor care to understand) why are people so paranoid 'bout their security. I laughed off those who didn't use ptp. sharing.
Anyway, this is not a rant.
I have debian/win2000pro dual-boot box and I reboot quite often. I use limewire and recently installed new version of morpheus (just to check it out). Enough said! in past two or three days I noticed, when I boot win, that right when the desktop actually comes up but before any icons are loaded I get a small dialog-box that says something along the lines:
"Program so and so has created an error. Blah blah. Log is being written"
The dialog box has only one button; "OK"
Since morpheus comes w/ GAIN (gator, bonzai buddy, I am sure you know what that is) and I tried my best to remove it, at first I dismissed the dialog-box as crippled GAIN spyware/adware trying to load so I just clicked OK as the whole desktop loaded. After a while I noticed that performance degraded and after further investigation I discovered that the CPU usage was peeking at 100% every 2 seconds. Hmmm. i decided to investigate. I rebooted again. The dialog-box came up again but the name of the program was different than before. I clicked "OK". CPU kept going up and down. I rebooted again and again; same dialog box the program name always different. I noticed pattern, the program name although different always followed a format: Xxx1.exe. ("X" stands for a random letter in capital and "x" random letter in lowercase) Since "Search" could never find the program after I hit "OK", on my next reboot I left the dialog-box hanging' and searched again. This time the exe was found in "C:\Program Files" (not in any application folder, just by itself). Get this it was only 10k long and after I clicked on the dialog ("OK") it wanished!
The next step, "netstat" showed 4 connections to different IRC servers (one was in Italy) to standard 6667. …..cold hands and a lot of cursing…
Although I was pissed I realized that this was an opportunity for me to actually learn something. I decided that after I return from work I would try to identify and quarantine the problem.
I noticed that the connections doubled. some were snmp, some irc, some http. One of the irc's was irc.aol.com. I connected to it and saw more than 2500 channels. how i'm gonna anything here (does anyone know how to determine a channel just by seeing the connection to a server?) My next step was to install Norton Antivirus. (I know, I know...) Of course it wouldn't load from the CD so I copied win2000 sepecific install folder on the Desktop and installed it. I rebooted and yes.. it didn't run. (let me hear you say anti anti virus protection)... So I decided to use an online scanner from the makers of PC-chilling. Imagine my horror to relize that 34 files were infected w/ KLEZ_worm, 1 w/ DEVINE trojan and some more w/ various IRC bombers and IP flooders. (i think, after learning about KLEZ that the flooder were part of its payload. First i deleted (manually ... i know) all the files in question. That got the number of infection down to 7. Than i user Symantec KLEZ removal tool which of course didn't run in safe mode (like Symantec recommended), only on regular start up. I'm not gonna make this any longer than I have to, soooo: Basically after 8 hours all together I said "**** it" and installed Debian throughout the whole HD.
The moral of this story: If you use windows, install firewall, install, av software, don't download files and just run them w/out proper quarantine. I was pissed and for the first time in my life passed up on sex because of some dickhead script kiddy.
I guess live and learn .... I just thougt i share this
January 29th, 2003, 10:46 PM
I guess that is the best way to learn.
You really don't think about all the security issues until something happens to you. When you find out exactly what happened... you just keep reading and trying to protect yourself/others from the same "horror" that you went through.
That is how I got into it. Experienced a security breach and I just kept on reading!
While it is bad that you had to experience that... it is also good, cause most likely you won't again.
Don't forget though... just cause you're using linux doesn't mean that you are invincible from the world wild web. You need to have the same precautions on a linux box as you do a m$ box. This is a big misconceptioin of users of *nix... IMO
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
January 29th, 2003, 10:57 PM
next time sex first comp later =P
i had a virus on my comp at one stage tho not to the extend to described here. it still sux tho when you need to do all that fiddling round just to get your computer back to the way it was.
Also backup of data is important for times when ur hdd decides to die on you.
January 29th, 2003, 11:07 PM
When I first came to AO, I had no idea the many ways there were to protect yourself, let alone how many way's there were to break into a computer. How foolish of me to be satisfied for so long with just a simple AV. So very very silly.
Because I am a woman, I must make unusual efforts to succeed. If I fail, no one will say, "She doesn't have what it takes"; They will say, "Women don't have what it takes".
Clare Boothe Luce
January 29th, 2003, 11:08 PM
Well, incidents like that really make you more conscious and concerned about this issue. Personally, I think that learning from your mistakes is quite romantic, but i preffer learning from someone's else. Much less trouble . Now, just be catious, not paranoid.
Ah, phishphreek80: you're right. and some linux distros may have running services you will never use, which is another thing you should bear in mind. Anyway, the O.S. don't share the same problems, but they indeed do have them.
Worse than thinking "it will never happen to me" in the security field is not using condom thinking the same thing about sexual diseases. This is really something to worry about. Use the other 30% worry level in computer security
January 30th, 2003, 12:06 AM
well the only reason i installed linux on the whole HD was because i dint' have the install win2000 CD w/ me and i just couldn't bare to know and see that partition sitting there anymore.
linux is inherently more secure than win as far a virii go (unless you're running as root) so although it's not 100% safe, your box will be more likly hacked than infected.
also linux is pretty much exposed to the user in its entirety. you can find out the sources files of proccesses. everythings there for you to see. on the other hand, looking for somthing like KLEZ (it's really sophisticated) on the windows box is like looking for the needle in a haystack.
January 30th, 2003, 12:26 AM
Yeah I got Gain... There are ways of getting rid of it.
What I did was remove whatever I had installed that came with gain. Either move it or lose it. Then after Gain cannot find the "GREAT" product you installed you should be able to uninstall Gain.
January 30th, 2003, 12:57 AM
hmm well one policy i follow when i install an OS to a box or use a box, i delete any stuff i dont NEED. protocols, softwares, services, etc. if i dont need them, they go bye bye. and like a newly bought house, u fumagate the house before living in it to make sure no nasties will be there when u move in, so i usually download patches and scann for errors and viruses and defrag and make an image of the HDD and its all done. the whole proccess could take a whole day.