Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Hello...Cracking my accounts

  1. #11
    Senior Member
    Join Date
    Dec 2001
    Posts
    134
    Originally posted here by Qualm
    Smart trojan users will install redundant trojans, keyloggers, etc. Then they'll keylog your passwords and steal your files, and then they'll mess with your head.
    A smart trojan user would never let you know they were there so that they could continue to gain information, if there is such a thing. And even if they have many tojans installed most of them can still be removed, many AV programs have heuristics that will even find small programs that were written by the cracker themselves and not just downloaded of some geocities webpage. As for keyloggers it can be a little harder if they don't send information out, I could be wrong but I don't think that simple checking of what is typed is something that sets off alarms in most AV heuristics as many word processors do this for spell checking albeit in a slightly different way. You already installed a firewall so if you see odd connection attempts from programs that don't make sense then look into it as it could be a keylogger trying to email it's daily capture if it's set up to do that, other then that look for folders with growing text files then start looking through running processes for something out of the ordinary. I know what every process on my machine is so when something shows up I know someone's been messing with my computer.
    Reality is the one who has it wrong, not you

  2. #12
    Junior Member
    Join Date
    May 2003
    Posts
    23
    Originally posted here by CarefulEugene
    I have used EBay & Paypal
    I would suggest logging in to your eBay and Paypal accounts from a computer you are reasonably sure is clean, and changing your passwords ASAP. You can set eBay to not automatically log you on when you connect, which is what you should set until you are sure there are no keyloggers left running on your machine.

    There are four principal areas where, on an average system (meaning not one that has anything special like an Intrusion Detection System loaded on it), you will find traces of trojans and other active security breaches:

    1. Your firewall logs - as you've already mentioned, your firewall will log a lot of nasty activity such as programs and people trying to connect to ports which are blocked.

    2. Open ports and the programs connected to them - a good port scanner/port monitor like Active Ports will tell you what ports are open, what IP's are connected to them, and what programs are listening on them. Do google searches on specific open port numbers and listed programs, you will learn a lot that way.

    3. Suspicious registry entries - specifically, programs set to automatically run at startup which you don't recognize or are otherwise suspicious. Again, google searches will tell you a lot about what's legitimate and what isn't normal.

    4. Running processes (task manager, process window). This is where you'll find the harder to detect (and nastier) stuff. For example (just an example, this is rare and advanced hacking), if you see a .txt file listed as a running process, that's a major alarm bell because you've likely been hacked by someone who is sophisticated enough to exploit a specific "feature" of certain Microsoft OS's. Google anything odd you see (most of the processes there are cryptically named but perfectly normal).

    What I'm trying to say is, don't rely on AV and anti-trojan scanners exclusively, particularly NOT on an already-cracked system. Really vicious trojan users will crack a system, install a backdoor or three with detectable signatures, and then customize and recompile from downloadable sourcecode an undetectable (by commercial scanners that is) backdoor. You can still find that one though if you know where to look for traces (see above) and do your homework.

    - Qualm

  3. #13
    I don't want to underestimate the guy, but this may give a clue as to how smart he is (or how confident he can bust me---take your pick) He had actually sent me an e-mail telling me he was going to be cracking my accounts. Pretty poor English was used (Please to cry-I am to be cracking all your accounts, etc..)
    After doing the scan on my system this thing came up as an exploit: PRegScheduler. I dumped it since I didn't know what the hell it was.
    One last thing...This is the IPA that just keeps on coming up on my firewall alert..63.141.176.130.
    What do you guys recommend I do with it ?

  4. #14
    I got this off that IP but I think I might have done the wrong search but you never know... this might actually be the right admins, address, and (ect)

    63.140.0.0 - 63.143.255.255
    WINSTAR
    1577 SPRINGHILL ROAD
    VIENNA, VA, 22182
    US

    --------------------------------------------------------------------------------

    Winstar
    ipadmin@winstar.net
    +1-888-466-3662

    --------------------------------------------------------------------------------


    63.141.176.128 - 63.141.176.159
    BOSS INTERNATIONAL
    1701 E WOODFIELD
    ROSEMONT, IL, 60173
    US

    --------------------------------------------------------------------------------

    ROSENGARD, ROBIN
    rrosengard@bossintl.com
    +1-847-413-1000
    --------------------------------------------------------------------------------

    And thanks to |The|Specialist I was able to DL his port scanner and I picked up these ports: 21, 25, 110, 135, 139, 389, 515, 1002, 1028, 1031, 1720 & probably others.

  5. #15
    Senior Member
    Join Date
    Dec 2001
    Posts
    134
    Qualm's got the 4 major points there for getting rid of a serious cracker. I mean we are talking about a home computer and the fact that he's sending emails to CarefulEugene shows that he's probably doing this more for shits and giggles than for any personal gain because if he continues now that he's known about he has a 500% better chance of getting in serious trouble if he decides to take over any serious accounts like paypal, so long as CarefulEugene logs his ip and reports it. Authorities may not think much of people stealing home users email accounts but when they start taking money they'll listen a little better, though how much depends on the authority.

    As for the ip, where are you from? Does this ip show up when the attacker does things to your computer? Because if you're on dial-up it could just be one of your ISP's computers checking to see if you're still online. Granted it could also be the attacker, I'm just saying to check all ip's running through that firewall and check their domain against your own to help narrow it down. A good way to check would be to close all programs like msn messenger/icq or anything that sends data out to the internet and then see what ip's are still trying to connect to your pc, if one shows up out of nowhere and attempts to connect to a high port (1000's and up) then it's a good bet that that's the ip you're after.

    One last thing as was already mentioned, any online passwords, go to a different computer and change your passwords asap. If the cracker doesn't get to them before you change the passwords then it will save you a lot of trouble. But don't do it from your computer as any keyoggers/trojans still there may catch the passwords anyways. Not to mention if you change the passwords then he'll be back to try and find them again and you'll have a better chance at getting his ip and reporting him to his ISP.

    I also just checked out the web addresses that Amanda gave, winstar does not have a website on winstar.net, but bossintl.com does and it seems to be a forum for engineers. Meaning someone's using one of their servers to bounce off of, one of their admins/employees is decidely being a moron, or someone's little kid is having some fun off daddy's computer which happens to be part of that network. I'd recommend sending an email to their tech support address support@bossintl.com and tell them what has happened and that you keep seeing that ip popping up on your firewall. Chances are they'll check the server if that's what it is and the cracker will lose his ability to bounce off it or they'll get fired if it's someone who works there actually doing it.
    Reality is the one who has it wrong, not you

  6. #16
    Junior Member
    Join Date
    May 2003
    Posts
    23
    PRegScheduler is unlikely to be the entry point, although it can certainly be safely removed. See this discussion: http://www.annoyances.org/exec/forum/win98/n1009837867. It's possible the "legitimate" registration reminder program was replaced by a trojan, but given the level of intelligence this guy is exhibiting, that's unlikely.

    As Pecosian recommended, send an e-mail to support@bossintl.com with the details of what has been happening (i.e. that IP is showing up in your firewall log and you suspect it's a compromised machine being used to attack you).

    I'd also send an e-mail to abuse@winstar.net - Winstar is Boss International's domain registrar and/or ISP, and that *should* be a working e-mail address if they follow accepted norms.

    - Qualm

  7. #17
    i agree that u should install everything over, i have personally used the cleaner, its verygood but a trial, it should work though, but to prevent this, try to scan anything before u download it. dont use a p2p or anything else like it.

  8. #18
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    oh for the love of mike!
    Get an AV like McAfee, keep it up to date every day
    Get a firewall, may I recomend Outpost (www.agnitum.com It's free and very very good)

    Then you can use The Cleaner to get rid of that pesky trojan, even though, with a fire wall in place, it's harmless (More or less).

    Then, do as I said above, and change your passwords to something hard...NOT 123password or some crap like that...

    Now..if I see one more post about formating coz of a bloody trojan I'll beat you all with a stick! :P

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  9. #19
    Senior Member
    Join Date
    Dec 2001
    Posts
    134
    So who's this mike fella and why's he so great? And why did everyone give up on pete??

    I'd agree with Noia about not formatting, I fight with local pc shops when they tell me to format a friends pc coz of something simple like that, then i just go and remove it and they're amazed half the time. I think there should be some kind of course you have to take or some test to prove you're not just some guy who knows how to install windows so you think you can solve any problem with it. I could install windows 3 days after I got it for the first time, and I was 13 at the time.. ah well, I suppose it's why people come to me before they let some of the local stores touch their pc's
    Reality is the one who has it wrong, not you

  10. #20
    what you said that your hotmail account was cracked so he could have used that recent flaw in hotmail so he might not even have a trojan but you should still scan you hardrive nonetheless

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •