|
-
May 8th, 2004, 07:30 AM
#11
Apart from getting rid of the 'bug', you said you wanted to get even, provided there is someone to get even with. I'd be careful. What you may want to do, is collect as much information about the system and what is installed on it, lets say by ghosting the image.
Quarantine the drive that the image is on. Now you can do a clean install, and have a record, should you be able to track an IP.
I'm not an authority on this, just an idea, albeit the fact that you'd need some resources.
Plus I would contact the authorities if you have a case. You just might help in nabbing someone that has done this to others. But you'll need proof, hence the need to document everything.
Sounds like your sis should have a word with her bank as well. They may be able to give both of you more advice, if at least to protect her account.
edit: sorry, you already contacted the bank....I'll pay better attention...
-
May 8th, 2004, 07:54 AM
#12
Hmmm,
What is the name of the keylogger?
I am thinking that before you consider dissembly and anything fancy, it might help to know what it is, how it works, and potentially, how it got there?
There are two basic sorts of keylogger: skiddie stuff and professional software. If it is a professional app, then your sister may have a bigger problem that either of you appreciate at present?
If it is a skiddie tool then there is a reasonable chance that you could pick up the generator toolkit and find out how it works............it may even contain its own decompiler?
Cheers
-
May 8th, 2004, 09:02 AM
#13
Maybe you could pick up the packets going in and out with ethereal? That would give you an IP possibly. Nmap for open ports, maybe the keylogger has one opened. Then hit it with a display filter in Ethereal.
Doesn't necessarily mean that anyone connected to it is the person that placed it. If this is college we are talking about, use a display filter to see what ip's in the same network are communicating with the box. Then see which packets are malicious. Hopefully (or not) you can see the logged keys in plaintext in the packets being sent.
-
May 8th, 2004, 11:04 AM
#14
She's on a ResNet (residents network), on my ResNet last year it was a constant battle to prevent attacks, I had attempted DoS and Intrusions most days, which was fun :-)
It really wouldnt surprise me if someone had had physical access to her computer, especially at my place I figured out a way to open any corrdior door within about 4days of arriving.....which led to them "patching" the doors, because some plank used it in front of some offical...I wasnt arsed cos it needed doing (We only did it for pranking the girls corridor..once my corriodor made ice cubes in 2 curver box's that were about 2ft x 1.ft x about 1ft deep to place in someone elses toilet....(don't ask me why uni's such a random place)), people also took great pleasure in reversing the program called virtual gay and placing that on the desktop so it couldnt be removed, which led to a little bloke dancing around naked on your screen, and also changing the desktops was a common "trick".
so anyway back to my point! your sisters security needs to start at a physical level, this is key...set up a BIOS password and logon password, turn the computer off when its not in use. Then get a spyware (ad-aware) removal program, AV (norton anti-virus), firewall (sygate).
The ones in brackets are programs I would recommend and have used personnally.
Has she turned off network sharing?? Its easy to create a batch files to scan an entire campus to find people with network shares open, so she needs to switch this off.
i2c
-
May 9th, 2004, 04:25 PM
#15
Member
Okay right now the computer is sitting downstairs, with zone alarm running, not allowing ANYTHING to access the network, i ran antivirus and it found nothing. If i actually do get the ip adress of a server out of this (and it's not just a proxy) what are the chances of me actually being able to get the kid back. (i assume it's a kid because you've got to be a pretty big lamer to install a keylogger on some random girls computer)
Even if your plane crashed tonight you\'d find some way to disappoint by not burning in the wreckage or drowning at the bottom of the sea
-
May 9th, 2004, 04:31 PM
#16
If i actually do get the ip adress of a server out of this (and it's not just a proxy) what are the chances of me actually being able to get the kid back. (i assume it's a kid because you've got to be a pretty big lamer to install a keylogger on some random girls computer)
0 Chance
Please answer some of the questions that we asked you earlier, perhaps we can get somewhere once those questions are answered.
-
May 9th, 2004, 04:40 PM
#17
new_
Just some food for thought. Some animals hunt in packs. If you decide to take action on your own. Your skill set better be pretty good or you'll find all kinds of challenges awaiting you. Additionally, you will most likely get hit from all sides so to speak.
Some great advice has been passed onto you. Heed those previous posts about isolating, cleaning, and prevention etc.
cheers.
-
May 9th, 2004, 04:45 PM
#18
what are the chances of me actually being able to get the kid back
Judging by the level of your questions, Zero. If you do happen to get an IP, how will you be able to tell if it's a proxy or not?
Keyloggers are, for all practical explanations, not viruses. They have perfectly legitimate uses such as workplace monitoring. Hence, I'm not surprised an anti-virus turned up nothing. And since you don't even know for sure what it is you are looking for at this point, you may have the horse pushing the cart at present.
Try going to your cmd window and run <netstat -an> and see what ports are open and listening...post back your results..(If I got that wrong, someone please correct me, I hardly ever use it)
As for actually getting back at the person who did it, unfortunately, unless an actual crime has been comitted, you are S.O.L.. If it was bonced through a proxy, you will need to be able to procure search warrants for the proxy, and they don't just sell 'em at Wal-Mart. Even if you were able to trace it back to a specific ISP, again, the search warrant issue comes into play.
As nihil stated above, depending on the "strength" of the application, your results are going to vary anyway. If it's a kid, nothing is going to happen. Chances are you are the one that is going to get in trouble. If it's a professional type keylogger, then it may have a means for tunneling through the firewall, and may at this moment be transmitting data back. And if it is professional strength, you will need law enforcement involvement.
I'm sure others herer are willing to help you track down your 'nasty'; we all love a good puzzle, but as far as getting back at anybody, forget it. It just isn't going to happen.
EDIT: I can understand your enthusiasm though, it's just we need to be realistic. You have an entire cavalry here to help you find and remove your malware, but as far as helping you get back, the cavalry knows better, and will leave you with boots swinging in the breeze. 
-
May 9th, 2004, 09:32 PM
#19
Groovicus has the correct answer.....
If you have to come here to ask how to find your enemy then you probably don't have the level of skill to protect yourself properly when you do. That being the case, you create two victims rather than one.
Best to use the old adage of the First Aider, (responder), here..... Don't put yourself in danger.... Add to that Sun Tzu.... Know your enemy...... You are missing stuff in both areas IMO.... Thus, format the box, reinstall from trusted media, protect it for the future and move on..... It isn't really worth the grief......
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
