My aunt has been hacked and..

[Raion]

Ok, I was at my grandmothers house today and my aunt was there and she started explaining to me that her computer has some problem (she's a computer illiterate). Well, the hacker first started out by when ever she would connect to the internet (through a dial-up modem) the computer would shut down. Then one day she finished using the computer and went to shut down and XP told her that she could not shut down because someone else was using the computer at the moment, that's when she started getting suspicious. The reason for this was because the hacker created an account (which she later found out when she turned her comp back on the next day). I wanted to gather some info before i go to her house to fix the problem (it's a 2 hour drive). The only info I have is the one she gave me. And also when she get's on she can only last 15mins on before the comp shuts down. So when I get over there I'm planning to first run search and destroy and all those other programs you people always mention (I'm going to burn it on a CD-RW). Since I think that she has some program installed which is telling the attacker her IP whenever she gets on. But before this I plan on doing a netstat till I get disconnected to see what hostnames are connected to the computer to then later find out the IP and whois it (if the attacker isn't using a proxy which i doubt they wouldn't be). Then I plan on reporting the hostname/IP to the ISP (don't know if they can acutally do anything about it but worth a shot) then changing her account password since she has it saved on her comp the attacker probably knows it. Then I plan on removing the created account and changing her password on the XP accounts and adding an Administrative account to create less access for her normal accounts (she doesn't have an Administrative account instead all of her accounts have administrative powers). So I wanted to know what you people think I should do besides what I have mentioned. Thank you for your time.

[Eonfire]

The netstat idea sounds good and it sounds like you've almost got everything, but maybe if you install a firewall as soon as you get onto the computer this could block the hacker? Here's a link to a sygate one :

Sygate

Also if you get this installed you can go to the site from the sygate firewall menu and there's the option of doing several scans on different parts of the PC to test for weaknesses.

I'm no expert here, a newbie myself, but i think that if you install a good antivirus, and also delete whatever temporary internet files that are there, you might block the hackers access.

Obviously though it depends on what you want to do if you don't want them knowing about the netstat you run. I'm sure someone with more knowledge will be here to help soon.

[D0pp139an93r]

First thing, keep the computer offline. Run an antivirus scan, then run Spybot, AdAware, and the Cleaner. You should already know about them just from having been here.

I would advise using Grisoft's AntiVirus. www.grisoft.com It's free, and it's a good AV.

It goes without saying to delete the hackers account. Sygate is a good firewall. You need to configure it to explicitly block ports 135, 139, 435, and 439.

This will eliminate the threat of the RPC exploits that have killed Windows security.

Apply all MS security updates and have her change all the passwords.

Let us know how it goes.

[.:front2back:.]

All are very good ideas, how ever i think that another option would to format the Drive, then reinstall the 0s, as you don't know if the person has installed a back door of some type.?
So to make sure that everything is gone, as some programs might miss something or might not detect something, then probably a format of the drive although it take's the longest still might be the best option..

Just a thought anyhow.

cheers
..::front2back::..

[Tedob1]

forget netstat. netstat is often replaced during an attack to conceal the offending address.

get fport from www.foundstone.com. its a cmd line app that maps ports to apps and the offending app will not be hidden.

also get the pstools zip file from www.systernals.com. pslist -t will list the processes running in tree view (-t) and pskill will kill processes that windows can not (pskill <process&gt so the can be deleted. look for processes with window like names running from non-standard directorys. like svchost running from drivers\etc or system32\mui and names like ntservice running from system32. this is very common. there is no windows file named ntservice but it sounds pretty good and runs from system32 to add to it credability...kill it, delete it (or rename if your so inclined)

run a complete system virus scan noteing which shes infected with then goand look in the folder that contain them. see what else is there. once a perp has access they usually install legit software thats not detected by av and rename the exe so its not real obvious in tastman or run hiden from taskmanager using third party hacker software. some favs are radmin, vnc, serv-u-ftp could be just about anything.

when your finished put a firewall on that alerts you to outgoing connections as well as incomming. i use tiny at home but many do the same thing. connect to the internet and browse for a while to make sure the firewall isnt blocking desired services like dns or an IM server and watch for outgoing alerts. incomming connection attempts are much to common to mean anything.

when in doubt, reformat

good luck!


sorry front2back you post wasnt there when i started writing mine :-)

[alphabetarian]

Don't forget to check for trojans. Not sure how likely it is, but worth a check anyway. Especially if appears to be semi-randomly rebooting.

I'd have to concur with the previous format suggestions. There's no telling what else could be hiding in there that you may miss, especially if these problems have been occuring for a while. It's probably best just to format and start over...lot alot can live through that. Then firewall tha bastard!! I'm an Norton fan myself...

alpha

[.:front2back:.]

Originally posted here by Tedob1
sorry front2back you post wasnt there when i started writing mine :-)

Ah it happens mate .

Anyhow after the problem is fixed i think that it might just be an idea to change your ISP or IP witchever it is, as the attacker might try to gain root on the box..
Either that or use some sorta program that would constantly change her ISP number, for instance when she loggs onto the net it might be
*213.54.78.145
Then it might change to
*145.78.54.213
Or something, as there's no sure protection. As there must be something important on Her box to make this Attacker to continuasly return, either that or it is a Boot Virus, were no matter what you do you carn't delete the virus, as it activates on Startup and like yeah, don't know much on that area, but really i'm grasping at straw to think of possible ideas.

Anyhow post an update when you can.
cheers
.:front2back:.

[anjali]

If ur grandma PC restarts every 15 minutes it is almost certainly because of a Virus .. If I am not wrong it is Lovegate.....

This virus was very active 6 months back.. It used to restart the PC after prompting...

It is fairly simple to remove the virus from the system... Give this a try first... Than if still the problem persists... u could think of her PC being hacked....

Frankly I would see no reasons why anyone would like to break into her PC.. still ask her to check her bandwith consumption with ISP .. bcos Incase her PC is used as a scapegoat for launching attacks..

[Tedob1]

BTW it was my aunt that hacked you aunt! :-)

[moxnix]

OMG....its an aunt farm/war
I really think that it would be more of a spyware/virus thing than an actuall hack/crack, but you really can't tell untill you get there and have a look. Keep us informed please.
And you let your Aunt out again, Tedob1 ( 8(|)