puzzled - tough security issue - Page 3
Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 62

Thread: puzzled - tough security issue

  1. #21
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    Also regards to the stuff about being 'fishy'...let me explain some more, basically my friend and I have been great for friends for several years and we are not dating. We wrote a hell of a lot of mails to each other in that time, again i was nieve in using webmail so much and that account was hacked and the mails were sent out to lots of people These were personal mails between myself and her. This is where someone somewhere has obviously read them and lost the plot completely. It could be anybody! This guy? seems to want us to stop talking completely. Btw this isnt one of her friends or one of mine we've gone through everybody with a fine toothcomb. Anyway if i even so much as look at somebody online on a dating site as an example (not login, register or talk with anyone), she'll get ane mail about from this person with all kinds of threats ands so forth. I've obviously had to try and stop any kind of web surfing that would provoke him to send her more stuff and its very hard, even the simplest stuff can do it..

    When i said about the email being full of unrelated stuff i meant the following.

    If i send a mail out where i write to a female friend he seems to zero in on these and use the information that is sent back to me or sent from here. I dont know which because i have very little information on what he is actually writing. The authorities are keeping all the information held until they get more information on the culprit. This is equally frustrating for me because i want this stop as much as my friend this is way beyond me and my knowledge about how some weirdo can be snooping my system like this...

    Anyway when i said i had sent an email from work to here, i sent 2 words in it and on the surface you could think they were women names (very very loosely related) and they were infact real estate developers.....this person thought they were women and wrote to my friend again threatening her saying i was upto this and that with these 2 people which clearly i wasnt.
    The fact that they got hold of the information after it had arrived here which only i knew about tells me it has to be something on here, given the fact they seem to get information from all kinds of other activity aswell.
    This particular example cant be keylogging unless he has installed something at work which he may or may not of done, i think its very unlikely given its got about 100$ million dollars worh of secrutiy and a 24/7 dedicated IT team monitoring that stuff..

    Anyway hopet he extra information is useful, i am all out of ideas apart from the webpage thing which like i said previously i will give a try...

  2. #22
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    From any machine not your own, go out and setup a gmail account. DL and burn a unix based live CD and then conduct your tests again using the Live CD and the gmail account. Smart money says that if he has something local, it will be useless when you boot from your live CD and you'll know right away where the problem is. This is only half the battle. Once you know where the problem is, you have to discover the root cause. In your case, how does he continue planting things on your host. Truthfully I haven't seen too many people skilled enough to maintain an operation like this long term without getting caught.

    I hinted to the advice Tiger gave but stopped short of telling you to sniff traffic on your own. If the police IT people are involved, it should have been the first thing they did. If not, get some new police IT people. The point is that they should be versed in collecting forensic data in a way that can be used in court, not you.

    Also, the dude is simply using random proxy servers which is a very common technique. This is why the IP always changes. Again, the police have the facilities needed to follow the chain back to the source if they choose to do so. There are very few international ISPs that do not cooperate. Hopefully he didn't use boxen from those regions.

    Anyway, resolution to this issue is close at hand. Do the right thing and work with the authorities since you decided to involve them. You have the advice needed to continue from those who responded in this thread. Act on it. Report back.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #23
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    Re: dynamoos post

    Limksys router is compromised? Dont know that...i changed the password a little while back and it appeared to make no difference. One thing is it does disconnect from time to time and send me some ip data with packets dropped....?
    Sygate has tons of ports turned off aswel, only the critical ones are left from what i can tell.

    Telnet service is disabled

    Physical security has not been compromised

    No root kits installed i did check this when reading up around the subject ages ago..

    no idea what a tempest-style snoop is!!!

    Anyway i'm on windows xp pro sp2 - i am losing hope in windows so many security flaws its scary, maybe i should just goto a mac or something to surf and do some work on, some what of an expensive way with no guarantees that'll fix the prob i guess esp if he is just monitoring packets and doesnt have anything on my system..

  4. #24
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    Here is my hijack this log...again apologies for the sheer weight of anti-spyware etc stuff going on, just desperation...

    Logfile of HijackThis v1.99.1
    Scan saved at 7:33:39 AM, on 11/7/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\PivX\PreEmpt\loadsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\GhostSurf 2005\DeleteSvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\GhostSurf 2005\Proxy.exe
    C:\Program Files\PivX\PreEmpt\PreEmptST.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PivX\PreView\preview.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    C:\Program Files\GhostSurf 2005\Protector.exe
    C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Simon\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2005\SCActiveBlock.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Aluria Security Center] C:\Program Files\Aluria Security Center\SecurityCenter.exe /minimize
    O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
    O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\system32\mdm.exe
    O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    O4 - Startup: Protector.lnk = C:\Program Files\GhostSurf 2005\Protector.exe
    O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
    O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
    O4 - Global Startup: PreEmpt.lnk = C:\Program Files\PivX\PreEmpt\PreEmptST.exe
    O4 - Global Startup: PreView.lnk = ?
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119804189432
    O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O23 - Service: AL_ADSService - Unknown owner - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE (file missing)
    O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~2\ascserv.exe
    O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
    O23 - Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
    O23 - Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: PreEmpt (qfcoresvc) - PivX Solutions, Inc. - C:\Program Files\PivX\PreEmpt\loadsvc.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe

  5. #25
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    *Cough*

    Why are you running a webserver on this box?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #26
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    *Cough* Why are you running a webserver on this box?
    What Tiger Shark said (damn smallband).

    Also you have some spyware isues to take care of "partypoker.exe" ?!

    C.
    Back when I was a boy, we carved our own IC's out of wood.

  7. #27
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    i make websites - but this stuff was happening before the webserver was installed anyway?

  8. #28
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    well partypoker was actually installed only a couple of days ago but ive uninstalled it , typical it leaves something behind. I will get rid of what it has left..

  9. #29
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Off topic


    *Cough* Why are you running a webserver on this box?

    Man...your slick Tiger....

    Welcome back

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #30
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    and you need to 'sterilise' the post too

    left details in ............
    you never know who else is lurking on AO
    it COULD be where he learnt everything he knows
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides