Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Account hijacked 2x in 1 week

  1. #11
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    This is a little far fetched, but with the difficulties you are having compiled with the fact that windows trojans have become better at hiding (where netstat might not be reliable), you might want to try running a port scan from a second system to see what ports your system is listening on from the attackers prospective.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  2. #12
    Ah i'd just format the hard drive and to a clean re-install of your Operating System, that way you know for sure that if there was anything on your Hard-Drive, then it will defiantly be gone when you re-install the Os..
    Everytime i get paranoid about something, i just do a quick system back up of important files, and then i format the HDisk and re-install everything.
    Fine it will take some time to get all your custom setting back into action, but it's worth it, just think Today there screwing with your e-mail accounts, Tomorrow they could be stealing your Identity and ruining your life..

    cheers
    .:front2back:.

  3. #13
    ha... or maybe u just copy some malicious file or batch from friend or school through a floppy, then place it in ur box... end up effected with some stealth program to ur box, perhaps.....

  4. #14
    aye

    [CAX Object]
    InProcServer32 = C:\WINDOWS\OPTIONS\CABS\SYSTEM\CAX.DLL
    CODEBASE = http://info.httpsgateway.com/download/dialer/cax.cab

    was the only think I saw in there that was goofy, checked it out and found this....

    http://securityresponse.symantec.com...dware.cax.html


    Not sure if just getting rid of it will fix your email problems, but at least there's one less piece to worry about...

    Greg

  5. #15
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    There are some interesting things on your HT log, but before I say anything in particular, could you please post a regular HijackThis log (not the start-up version)? It reveals a few different things that the startup listing doesn't.

    And before you fix anything:

    1) Make sure you know what it is..... manythings are important to the functioning of your pc
    2) Put HT in it's own folder or the backups will be scattered ... and this could be annoying if you need to redo somethig that you fixed.


  6. #16
    Junior Member
    Join Date
    Apr 2004
    Posts
    3
    TA, All,
    As to my ISP, they're a smaller company, and I know the local franchiser/NA real well, and he's for sure got bigger fish to fry than lit'l ol me, if he's into that sort of playing which I highly doubt... Certainly there are a new breed of much more cunning trojans, worms and virii out now and while it is a very small possibility that something came in via a floppy, it *could* have... So I'm taking the paranoid but safe way out: Back up the data and F-Disc.
    Meanwhile, 4 other web based email accounts remain unmolested including my MSN as well as my POP mail and all other website accounts.... Still not sure what to make of that since someone sure put the zap on my hotmail... I have alerted all my contacts that were possably able to be emailed from those 2 accounts to beware of any messages from hotmail, especially attachments, but at the same time to save them w/o opening. I hope something may be gleaned from the headers, but I'm not sure how much info passes into a header about whom is connected to the hotmail server and that account.....
    Thanks again everybody!!! Websword.
    Oderint dum metuant.

  7. #17
    Senior Member Raion's Avatar
    Join Date
    Dec 2003
    Location
    New York, New York
    Posts
    1,299
    Ok well here goes my 2 cents:
    You should do as front2back says and format, after formatting contact hotmail stating that you believe someone has hacked into your account, they will ask for some personal information and if the attacker has not changed any of your personal information then you should have no troubles reseting your password. And if you are using broadband 255.555.555 is your subnet mask and 3.0.0.2 would be your local IP it's an IP only you have access to just like 127.0.0.1 through that IP with the correct password you can configure your broadband connection. Hope this helps
    WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!

  8. #18
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    While I'm quite convinced that it might be too late to save the offending drive from the good old fdisk bearing in mind the time the OP last posted.... sorry mate.... busy.... didn't notice your reply.

    For future reference to others.....

    Overdue: Portscanning a machine to see what ports are listening on a machine potentially infected with a trojan is less useful than it used to be and will become practically useless as time goes on. As firewalls are becoming more widely used the Trojan writers are already aware that listening on a port isn't enough. "Connection shovelling" I believe is the new term where a trojan server makes the initial outbound connection on a common port. On any system this will show _no_ unusual ports listening because the "server" isn't listening - the port appears closed. So the portscan does nothing more than lull the user into a false sense of security.

    With firewalls that have egress filtering the trojan will fail the test if it does anything other than disable the firewall when it needs to or rewrites the firewall rules if it can, (your local software firewall, (ZA, Tiny, Kerio etc)), but it will continue to work on corporate firewalls because the firewall itself has no knowledge of the initiating process on the client - "if it's going out on port 80 it's a browser"..... On a machine with local egress filtering the trojan will work just fine if it either it insinuates itself into an acceptable process, (iexplore for example), as a new thread or, if the firewall is sophisticated enough to determine it's actions by "thread within process", (which I don't believe any are at present), then by subverting the entire process in the first place. If either of these can occur then corporate firewalls are useless again because the fact still remains to a corporate firewall "if it's going out on port 80 it's a browser". In the corporate world especially, the firewall will have to be integrated into the entire network, (be aware of every process on every machine and every thread within every process and that the thread itself is legitimate).... Can you say bandwidth and processor time....

    The basis for security, (while allowing for usability), will have to move to the client eventually. Hopefully it will be centralized but it will require even quite small networks to have relatively high bandwidth capability. Then local firewalls, with "thread in process" knowledge _and_ recognition of previously subverted processes, (Tripwire, MD5 checksums on activation etc.), would report to the "perimeter" firewalls and they would accept or deny requests based upon the reported process/thread.... Remember: We can't have the users deciding for themselves what might be good or bad and it is unfair to place that burden on them in the first place.

    So..... Don't trust a portscan to tell you if you have a trojan..... It isn't reliable......

    That's it in a nutshell.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #19
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    Tiger - I agree completely.

    My suggestion of an external port scan was prompted by other solutions coming up empty. I view a port scan as a tool to be used when you start running out of options, and upon encountering these type of problems. Like I said, the idea was "far fetched." However, a port scan does not take long and you never know, Websword might have gotten lucky and found an open trojan port listening, thus providing a direction to research.

    I will admit though, that I should have put in a caveat stating that a portscan should not be solely depended upon for confirmation of a trojan's presence or lack thereof, and I will make sure I do so in the future if the need for a similar suggestion arises.

    Thanks for the heads up.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  10. #20
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Overdue: I'm not saying I wouldn't try one myself..... Just that as time goes on we should probably be careful not to put a lot of stead in a "clean" scan.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •