Page 2 of 7 FirstFirst 1234 ... LastLast
Results 11 to 20 of 62

Thread: puzzled - tough security issue

  1. #11
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    linksys firewall
    I'm assuming you mean a router with a firewall. Wired or wireless.
    If wireless are you running any security on it?
    If so are you changing the keys regularly.

    You formatted the drive which should have removed any nasties but he could still see what you were doing. This should point to the problem not being on the PC.
    I.E.

    a) someone could monitor a wireless link if you have it
    b) someone could be looking at your traffic on the ISP side.

    Change ISP and hardwire yout computer to your net connection.

    AND.... got to agree with wiskic10_4.

    Why would a stalker monitor you and email your friend?

    Are the authorities taking this seriously? Have they offered to image your drive foresically to preserve evidence? Have they contacted your ISP? Have you contacted your ISP?

  2. #12
    Member
    Join Date
    Aug 2004
    Posts
    95
    With the kind of softwares you have installed it seems pretty good.

    Try encrypting and sending all your e-mails with Keygloo (free software), PGP.
    If he is still able to read your e-mails then its some malware or keylogger installed on your pC.

  3. #13
    Originally posted here by Aspman
    I'm assuming you mean a router with a firewall. Wired or wireless.
    If wireless are you running any security on it?
    If so are you changing the keys regularly
    Yeah, the Linksys thing made me think "wireless" too. Even with things like WEP keys and MAC address restrictions, your wireless network can still be vulnerable. I'd personally always recommend a software firewall if you're using wireless, and if you are sharing files between PCs on the network make sure you have strong passwords and are fully patched.

    Better still, if you know that someone is snooping, turn off wireless altogether.

    Perhaps in some way the Linksys router is compromised. That might be how come the hacker seems to be getting partial data, perhaps from the firewall logs?

    Another thing that can slip under the radar of spyware detectors is the Telnet service. Make sure that the service is disabled, else the hacker could be opeining up a command line prompt on the PC without you knowing about it.

    Yes, check the hardware. Make sure there's nothing connected to the PC or installed inside it that you don't recognise. If the physical security of the PC has been compromised, then really you could have a BIG problem.

    Another possibility - there's a rootkit installed. These are things buried so deep in the system that a spyware scan wouldn't pick them up. Have a look at F-Secure's Blacklight product - http://www.f-secure.com/blacklight/ - that might find something.

    Errr and to clutch at straws a little, if everything else is secure it could be a TEMPEST-style snoop. I've never heard of anyone actually doing that, however!

  4. #14
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by dynamoo
    Yeah, the Linksys thing made me think "wireless" too. Even with things like WEP keys and MAC address restrictions, your wireless network can still be vulnerable. I'd personally always recommend a software firewall if you're using wireless, and if you are sharing files between PCs on the network make sure you have strong passwords and are fully patched.
    A software firewall will not protect you from someone snooping on your wireless connection.. IF your WEP key gets cracked anyone can read your wireless traffic..

    Try using WPA instead of WEP.. Even better.. Use a VPN to protect your wireless traffic..

    Better still, if you know that someone is snooping, turn off wireless altogether.
    This is probably the best solution untill you find out who and how..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #15
    Originally posted here by SirDice
    A software firewall will not protect you from someone snooping on your wireless connection.. IF your WEP key gets cracked anyone can read your wireless traffic..
    No, but the software firewall will help to prevent your machine being compromised by someone who had managed to connect to the wireless LAN.

    I saw a good quote recently, to the effect that you should treat your private wireless LAN as just another part of the internet rather than a secure system. That seems to be a good philosophy.

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Tsk tsk. I'm very surprised at some of you.

    Here is what I think may be happening. There was a case that I worked on with almost identical factors. The vector of attack turned out to be a default config of the SOHO router. The vendor will remain nameless. Anyway, it made no difference that the hosts on the backend were reformatted. He was simply changing routes, reviewing logs and sniffing traffic. A few config changes on any router will provide you with hot steamy goodness in the form of data.

    So, take a clean system or boot yours with a live CD (knoppix, Whax, whatever) and then connect up to your router. Look at all the settings and be sure you've locked it up AND be sure you have the latest firmware on there.

    Second, browse the web with the live CD for a few weeks and see what happens. If he is blind to your activities, you know he has something running on your host. If not, you know he is sitting upstream or as someone said, has a hardware logging device on your PC. I have seen some excellent designs in recent days so they may be tough to spot. I've even seen one built into the keyboard itself so looking for a dongle would be fruitless.

    My guess is that if the authorities are involved, soliciting help and acting on it without coordination from police would make them even more upset. Feel free to pass my info along to them but I wouldn't act on it unless they approve.

    So in summary.

    1) Evaluate your perimeter devices. This is a real avenue of attack.
    2) Use a live CD for a while. This will eliminate or affirm certain aspecs of the root cause of your issue.
    3) There's no such thing as a safe computing environment.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #17
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Examining this from a psycological perspective we must examine why this occuring.

    What is your relationship to the person receiving the offensive emails and what is their content?
    What has changed recently in this relationship and how does the timing of that change correlate to the start of the 'system' problems.

    Answering these question my give you an idea of why this is occuring.

    Once you understand why, then it's possible several 'Whos' fit the bill.

    Using the above information it may be possible, with the aid of the authoities, to use a little trap I have used in a similar situation.

    Set up a web page with a random address something like

    http://www.my.web.com/QCZJYgwbtxCnkG...Nh99V/Pics.php

    pics.php:
    Code:
    <?php
      $BROWSER = $_SERVER["HTTP_USER_AGENT"];
      $BROWSER = "'$BROWSER'";
      $IP = $_SERVER["REMOTE_ADDR"];
      $REFERER = $_SERVER["HTTP_REFERER"];
      $REFERER = "'$REFERER'";
      header("Content-type: text/plain");
    ?>
    
    You are being shown this page because it is likely that you have commited a
    criminal offence. The odds of finding this page by chance on this server are
    72 ^ 36 to one - This is proof beyond reasonable doubt that you have used this
    location as placed in an email sent to a private individual. If you are not
    the individual that the email was sent to then you have either intercepted
    that email or gained access to the email account of that individual.
    
    Your details (below) have been recorded and this information will be passed to
    the police and a complaint made.
    
    Please note that any further attemps to connect to this site will considered
    an attemt at intrusion and may result in protection measures being started.
    
    <?php
      print("Your Details\n");
      print("------------\n");
      print("Browser ");
      print($BROWSER);
      print("\n");
      print("IP:PORT ");
      print($IP);
      print(":");
      print($_SERVER["REMOTE_PORT"]);
      print("\n");
      print("Referer ");
      print($REFERER);
      print("\n");
      $EXECUTE = "/usr/local/bin/logdata $IP $BROWSER $REFERER";
      system($EXECUTE);
    ?>
    usr/local/bin/logdata:
    Code:
    date
    date >> /tmp/Evidence
    echo Originating IP :$1 >> /tmp/Evidence
    echo $1 IP Logged
    echo Browser        :$2 >> /tmp/Evidence
    echo $2 Browser Logged
    echo Referer        :$3 >> /tmp/Evidence
    echo $3 Referer logged
    host $1 >> /tmp/Evidence
    host $1
    whois $1 >> /tmp/Evidence
    whois $1
    Now email the person receiving the offensive emails with an email stating you know who's doing this, you have photographic eveidence and send the link to the above page.

    Get the other party to reply to your email, ensuring the link is kept in place.

    Should you ever get anything in /tmp/Evidence the authorities can then go to the ISP of the IP captured and examine the records, and combine it with your list of 'Whos' so that they can knock on a few doors.

    I used this to catch a web programmer for a small isp who was stalking our local vicar's daugther. He was of course the ex BF, and she was using the webmail facilities of that isp.

    Just a though, and remeber, don't do this on your own, get the authorities involved.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  8. #18
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    Hi guys, thanks for all the information, i wasn't expecting this much so soon...

    Ok a few more details, i have scanned for all the usual keylog threats, i have gone through about 10 bits of anti-spyware, anti-keyloggers and they have come up with nothing.

    I am broadband and its not wireless. The linksysroute is one of those 4 port jobs, broadband firewall linksys..

    Nobody else uses this machine, its just my laptop in my flat.

    This happened at my last place, i got a job abroad and he has followed me here. I assume it was backtracking through a service that he was monitoring so guess it wasnt too hard, like IM.
    I thought the change abroad would stop it, i.e. different ip etc. I was somewhat nieve toall of it. I had brought over a 'clean laptop' but as above, i guess if he can monitor IM chats he can follow you back to where you are from that via one of the other contacts lists??

    IM afaik is notoriously insecure, i thought theproblem was with that so i shut it all down, basically anybody i talked to he logged the chat and then email a friend with lies/details about the chat to upset so i closed down all IM services and uninstalled it to shut down that problem.

    The website surfing is the biggest one, it'll happen on any website that will provoke him, yes to the person who asked before whether its a jealousy thing, it looks like it but this guy or person is very serious. He hasnt done anything to my stuff from what i can see because i assume i am the avenue or conduit through which he is doing all his business.

    And as stated before even though i have a pop3 with authentication (not SSL yet) he can still read the mails but i assume only have they have downloaded.

    I just keep thinking that he has some desktop view of my system and log whats going on but then i'd see alot more activity going off my machine....so mayb it is just an exceptionally good keylogger..i dont know

    What i stated before though is this, when i did format my machine that one time, the report i heard was that he became very angry, i am assume that whatever he had breached, he had to do it again.

    My ISP is no help at all, i have asked and asked and they are just incredibly slow.

    The webpage idea i was thinking about aswell, like a honeypot? i guess...and just see what would happen. May try that later this week.

    Also he seems virtually untraceable, his ip's are coming from all over the place and the police are having a hard time trying to get a hold of where this is come.

    This person is extremely quick to react to anything i do in terms of sending emails, its like its within a few hours so they obviously have some automated monitoring system going on and collecting information i guess....this has gone on for over a year and a half.

    Again the reason why i haven't formatted is that i've been instructed not to right now otherwise i'd do it right away.

    Thanks again for all the help

  9. #19
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Jeez guys.....

    Quick and dirty way of finding out if he is spying or sniffing.

    Place a hub outside the firewall. Place a second NIC in the box with nothing bound to it. Download Ethereal. Run Ethereal on the new interface. Go about your business noting where you are going and what you are doing. Check Ethereal capture to see if there are unaccounted for outbound connections - this will need a 24 hour capture period since some of the spying software bundles everything and sends it in one go every day.

    So, if there are no outbound connections he's sniffing you upstream. If there are outbound connections then he is spying. Now we know what we are looking for.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #20
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    The other thing that happened a while ago which i think i mentioned before but i'll say again
    when it started happening ont he webmail, my accounts were compromised, they changed the security information - needless to say to get your account back is very difficult because you now hoave to prove yourself against their information which is now different. hotmail was terrible, it took a full 2-3 months to get even some form of a response back, yahoo was pretty bad although i did manage to find a phone number and talk to a live person to get access to the account to close it down properly as my mailbox was being sent out to loads of people which wasnt fun.
    I then got a gmail account thinking this would be good but even that got compromised so i stopped with that stuff altogether. Interestingly i have several web-based accounts for work related stuff and none of them have been touched.

    Yes i do change my passwords regularly and mix it up to make it more difficult and i dont use the same one on every account etc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •