I'm 99.999% sure I just got owned

[Jonesy69]

Allow me to explain what happend, I'll include some snipits from Event Viewer, and what happened in order from first to last.

I'm running Windows XP home on a cable connection behind a netgear router just so everybody knows.

I started up unreal tournament, attempted to find internet games but it kept on saying that the master server could not be resolved. So I quit, and relaunched it, after I started tetherreal so I could see the hostname for the master server so I could ping it to see if it was up. As this was happening, my CPU usage shot to 100%, the computer was lagging really badly and packets other than the typical Unreal UDP flurry were being seen.

The one that caught my eye was a packet that said nothing other than Malformed Packet and under the payload it just said "RX". I thought this to be odd, so I hit ctrl+alt+delete and noticed under the process list that the normal processes (SYSTEM, LOCAL SERVICE, USERS, etc.) were all blank, right as I noticed this the screen "flashed" to the WinXP classic theme, then back to my normal screen.

OK, now I'm in full defense mode, I'm jotting down IP's from tethereal, quit unreal tournament, and pulled my ethernet cable. Upon closer investigation by checking eventviewer. I noticed a couple interesting (but troubling at the same time) things.

I'll include these in order the time they happend.

From the security event viewer, these I suspect these events to be the particularly malicious events.

@7:28:58
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF92C)
Logon Type: 3

@7:28:59
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: RASMAN

@7:28:59
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: CHAP

User logoff with the name Anonomyous Logon? RASMAN, CHAP? It gets better. At this point I rebooted like a dumbass.

then found this stuff. all in the startup process or an automated atack, I'm not sure as I wasnt paying attention to the clock when I rebooted.

@7:41:37
1)Windows is starting up.
2)An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32\LSASRV.dll : Negotiate
3)Authentication Package Name: C:\WINDOWS\system32\kerberos.dll : Kerberos
4)Authentication Package Name: C:\WINDOWS\system32\msv1_0.dll : NTLM
5)Authentication Package Name: C:\WINDOWS\system32\schannel.dll : Microsoft Unified Security Protocol Provider
6)Authentication Package Name: C:\WINDOWS\system32\schannel.dll : Schannel
7)Authentication Package Name: C:\WINDOWS\system32\wdigest.dll : WDigest
8) Authentication Package Name: C:\WINDOWS\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
9)A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: KSecDD
10)Logon Process Name: Winlogon
11)Logon Process Name: Winlogon\MSGina
12)Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: DELL8200$ <<My computers name is "DELL8200" no "$" sign???
Domain Name: MSHOME
Logon ID: (0x0,0x3E7)

THen I believe this to be the "takeover"

Successful Network Logon:
User Name: notice how theres no username?
Domain:
Logon ID: (0x0,0xF778)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

I hope I didnt bore you guys to death with this long thread, I'd really like to know what, if anything has happened here.

This is my newbie take on it.

They sent a fragmented packet (source routed as I have NAT enabled) that =malformed packets
Somehow loaded a bunch of authentication packages.
got authenticated
and logon with a blank username

Help here would be GREATLY appreciated

thanks in advance,
Jonesy

[cheyenne1212]

I also run a Windows XP System and was dumb enough to run it without a firewall. After a while I got to looking at my event logs and saw the same stuff that your are seing. After that I bought a firewall. LOL.

If I had to make a guess I would say that somebody somehow logged on to your computer and possibly created a account for himself that he can remotely log into. I could be wrong thoguh. Check your logs a little bit more and see if anything changed in your system itself. Check and make sure that you have anything to do with remote access turned off.

Were you able to see which port all of this was coming from?

[Vigge]

Ok first of, Im not an expert on NT security, but Ive managed to find some information for you.

--------------------
Service name: RasMan (Remote Access Connection Manager)

The Remote Access Service allows users to dial in to the server. Ensure that
only those users that require remote access are given the RAS Dial in permission. No worries

--------------------
Logon Process Name: CHAP (Challenge Handshake Authentication Protocol)
Seems to have something to do with encryption for dialup. No worries.

--------------------
Logon Process Name: KSecDD
This is the security device driver. No worries.

--------------------
Logon Process: NtLmSsp
For info, check this url: http://msdn.microsoft.com/library/de...urity_9qgg.asp
the logon made to your box seems to have been a null session, and no worries.


All these seems to be system logons which you shouldnt worry about.

With that beeing said, Im still no expert and I could be wrong.

The one that caught my eye was a packet that said nothing other than Malformed Packet and under the payload it just said "RX". I thought this to be odd, so I hit ctrl+alt+delete and noticed under the process list that the normal processes (SYSTEM, LOCAL SERVICE, USERS, etc.) were all blank, right as I noticed this the screen "flashed" to the WinXP classic theme, then back to my normal screen.

This I dont have a clue what it could be. Neither do I have a clue about why your computer suddenly became laggy. OHHH, Wait... Ive got it, you are using a Microsoft OS arent you? oh well that explains it ...Sorry couldnt help myself.

[phishphreek]

Well, the first indication you gave was the flurry of UDP traffic.

As this was happening, my CPU usage shot to 100%, the computer was lagging really badly and packets other than the typical Unreal UDP flurry were being seen.

Bugtraq's vulnerabilty report

Unreal Tournament is a game produced by Epic Games, available for Microsoft Windows and Linux. Network play is supported. A vulnerability has been reported in the server used for network play.

It is possible to use an Unreal Tournament server as an amplifyer in a flooding attack, by transmiting multiple UDP packets with a spoofed victim IP address. The server will make repeated attempts to initiate a connection with the specified address, consuming network resources.

There is an exploit available at the link above.

Here is an article where Unreal says they will fix the problem. I have yet to find a patch for it though...

Here are other games that are also vulnerable.

That is just for DoS attack. I didn't see where users could take over the system.

They might have exploited another service running on your machine.
Visit black viper's site to determine if you have services that you don't need. He has great info on Win2k and XP home and pro services guides.

You might have caught them just in time. They might not have had a chance to install a trojan or backdoor. I wouldn't take any chances.
Run the cleaner from moosoft and make sure it is updated. That should remove any viruses. There 30day trial. That should be good enough to clean off any trojans for now.
Also make sure your antivirus software is up2date and do a full scan.
Clean out your startup folder and trim down your services.
Install a firewall. If you already have a firewall... default the rules and start over. Only allow trusted programs. If you don't know what or why something wants to access the net... look it up.
Disable your guest account.
Disable anonymous logon.
Turn on auditing.
Change ALL your passwords, and use strong ones.

I had thought that someone here wrote a good tutorial or linked to a good tutorial on locking down windows XP.

If not... the NSA has a pretty good paper. Though I don't know if I'd use their security policy... I'd create my own. It is here. http://nsa1.<a rel="nofollow" href=".../wxp-1.pdf</a>

Here is a site that gives some general lockdown policies. It is written by .mil so you should be kind of safe. I wouldn't trust just that though... We have seen time and time again their networks being cracked/defaced.

Maybe you can get a mod to move it to a security forum so it'll show up on the main page. You will get more replies there.

[hatebreed2000]

what phish said hit it right on the head, they were having major problems at one point with this problem you can find a fix here http://www.shugashack.com/onearticle.x/21586/
i dual-boot with XP and even with a firewall and all of blackvipers service hacks your still gonna see NTLM logs up the ass, it stands for NT LanMan, and its the server for telnet, 9x and below only come with the client but M$ was nice enough to include a server for win2k and XP.as for rasman and chap, theres really no worries do to the fact that they are system process, they are gonna run regardless, and just because they show up in the logs doesnt mean anything as long as you have a firewall (ie outpost) and follow vipers service settings, and i say that because since they are system process they are goin to make attempts to do what it is that they do, but they will not make a outbound connection. i watched my FW/sniffer/security logs for some time after securing my box and came to the conclusion above.....it will still come up...why? i dont know but there will be no connections made providing you have everything setup properly. hope i helped in some way, take it easy.

btw i know on that site it says that it is for win2k and for servers only, blah blah blah...but trust the word of a UT fanatic, youll be fine i have it on my machine and have had no probs, and i know at least 6 others who run XP and have the patch...no probs, just one more thing..if you ever put linux on your comp and decide you want to put UT on there but worry about this problem comin up again get the patch here
http://ut.abfackeln.com/asu.html </rant>

[Tiger Shark]

Jonesy: I think you are fine. the Dell2800$ is the login account of your machine itself. I see it a lot on our network under win2k and the kernels are basically identical.

All the services that started are normal so nothing seems to have fired up in the background. The one thing that is odd is the audit policy change. Are you sure you haven't changed that in the past? If you didn't I think it is unusual since were it a hack it has left logon/logoff, account management etc. running. If I had hacked your box I would almost certainly want all logging turned off, period. That leads me to believe that you or someone with physical access has changed something.

[Lv4]

just to clarify something, any time you see something ending with $ on a MS machine it means administrative account/access. If you look you will see that you have a c$ share on your system even if you don't have any real shares set up, it's what the OS uses to access stuff with. You will usually see an account with the machine name ending in $ to do OS based stuff that needs administrative access of some sorts. Like Tiger Shark says, nothing to be worried about there.

You might get worried though if you see someone connected to your c$ with an account that you didn't create

[CXGJarrod]

Does the Netgear router have a firewall built into it? Also, do you have the latest firmware updates?

[Tiger Shark]

Originally posted here by CXGJarrod
Does the Netgear router have a firewall built into it? Also, do you have the latest firmware updates?

I believe all the netgear _routers_ use NAT and in the default config there is no pass-through of ports.

[DeadCr0w]

Originally posted here by Tiger Shark


I believe all the netgear _routers_ use NAT and in the default config there is no pass-through of ports.

That's true but the thing is it can be changed if he didn't change the default 1234 password.