Page 4 of 7 FirstFirst ... 23456 ... LastLast
Results 31 to 40 of 62

Thread: puzzled - tough security issue

  1. #31
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    All that spyware protection and you still get partypoker installed. Lmao.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  2. #32
    Senior Member
    Join Date
    Sep 2005
    Posts
    221
    What's "Red Chair Software" ?

    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\PivX\PreEmpt\loadsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\PivX\PreEmpt\PreEmptST.exe
    C:\Program Files\PivX\PreView\preview.exe
    C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe

    All of these I wonder about.

    Also, if you're talking to the police, you're talking to the wrong guys. Cyber-crimes are the domain of the FBI, as they can very easily become inter-state when not international.

    Now, let me summarize and let me see if I've got it right.

    1) You (are male?) have a female friend, and have been friends with her for a very long time.
    2) She started receiving emails about stuff you did (true or not).
    3) You realized that someone was monitoring your actions.
    4) You contacted your ISP and the local auhorities, who have all been useless.
    5) What you do at work is safe, unless you email yourself at home.
    6) You have reformatted, and you have been told it made him angry (so you know it's a guy), and you are still being monitored.
    7) Local authorities have run a trace on the guy and found several different IPs.
    8) You have changed country and are still being monitored.

    Question: when did you realize someone was monitoring your actions?
    Question: are you the only person who is being monitored?
    Question: who reported to you that he became very angry?
    Question: is your name Dr. Jekyll?
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  3. #33
    Junior Member
    Join Date
    May 2002
    Posts
    17
    Possibly you could have a rootkit or IRC zombie, both of which will not be picked up by any scanner.
    Also the culprit might be using what is called port knocking. If you have a rootkit installed it might respond to a port knock and your firewall will not detect it.

    Get sysinternals Rootkit Revealer. Anything that looks funny do some digging.

    Also just as a heads up turning on the built in Windows XP firewall exposes more ports, and it doesn't notify you if there is activity.

  4. #34
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Morgan: Thank you my dear.....

    Foxy: you beat me to it.

    Rope: Do me a favor. Stop everything on this box. I mean everything. Take the box down to the absolute essentials for the box to run. Do this by going to safe mode with network support.

    Then start sending a bunch of emails that are guaranteed to get the stalker to react.

    If you get a reaction then we are down to external monitoring or a rootkit, period.

    [EDIT]

    If you have a rootkit installed it might respond to a port knock and your firewall will not detect it.
    Er... Say what????? In order for what you are saying to work the rootkit would have to be installed on the Linksys firewall. For the port knocking to be working on his computer he would have to have the port(s) for the knocking forwarded from the Linksys to his box or his box will never "hear" the knock. If he has forwarded the knock port(s) to his box then we are all wasting our time......

    [/EDIT]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #35
    Senior Member
    Join Date
    Sep 2005
    Posts
    221
    Tiger shark: are you *positive* ? I would recommend that he use msconfig (assuming he has WinXP, which from the look of his log, he does) when he gets to safe mode just to make sure that odd software isn't being launched either way.
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  6. #36
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Trevoke: Yep, I'm pretty damn sure. Why?

    If he has a subverted application in that great big long list he has in the hijack this log then it won't be loaded in safe mode. A subverted application is not a rootkit but by removing all the applications that are unnecessary we can be sure that it isn't a subverted app that is the issue.

    This leaves two possibilities:

    A rootkit hiding itself within the OS, and thus indicating a kernel level rootkit. The problem with this is that on windows kernel level rootkits are few and far between due to their complexity thus making the possibility of this being the culprit is low.

    External monitoring. Remembering that the linksys is "external" in my mind as is looking in his sent items on one of his email accounts. This is the most likely scenario if the culprit isn't a subverted app.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #37
    Senior Member
    Join Date
    Sep 2005
    Posts
    221
    Shark: Some applications still get launched in safe mode, though. I don't have concrete evidence that spy/malware has evolved to the point that some do get launched in Safe Mode, but especially in this thread, more paranoia == good.
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  8. #38
    Junior Member
    Join Date
    Nov 2005
    Posts
    9
    Ok i'll start on this asap..

    trevoke..

    Red Chair Software is anapod explorerjust an ipod util to transfer to/from the ipod
    PreEmpt/PreView are system hardening utils...
    wmiapsrv.exe according to google seems to be harmless
    nod32 is eset nod32 antivirus
    alg has always been there
    wdfmgr.exe is windows media player 10 stuff

    "Also, if you're talking to the police, you're talking to the wrong guys. Cyber-crimes are the domain of the FBI, as they can very easily become inter-state when not international"

    I believe the latter are involved aswell.

    1) Correct i am male and yes we've been friends for a very long time
    2) True but it seemed to be triggered by a mass mailing virus i received in a webaccount about 2 years ago and just got worse after that..
    3) Only when my webbased mail accounts were getting compromised and she obviously
    received mails based on surfing activities..
    4) ISP has been particularly slow and unhelpful, authorities are just keep all the info to themselves because from their point of view i am prob a suspect which concerns me greatly.
    5) From what i have seen EXCEPT if i use an IM service, that seems to be particularly vulnerable
    wherever you are I guess he/they can monitor the other contacts and see when i come on
    even if i change my account and readd them so have stopped IM completely.

    6) Yes, i was told it made him/them angry, him is an assumption but it could be a woman i dont know. My only conclusion is he has inserted something nto this machine for monitoring purposes..

    7) Correct
    8) Correct

    Realized about a year ago, thinking this was just a simple case of some kid playing around with my machine, i began adding more and more software - trying different firewallsetc thinking it would help, trying to narrow down the problem with no exta information and so on. Thought it was a virus, trojan etc, looked at ports and so on. Im not an expert in this field at all but i do work on computers so thought i could handle this - nieve i know. Authorities got involved when the threats in the mails become more severe. I still dont know what exactly is being sent to her but all i do know is that it is pretty scary stuff and i want it to stop.

    I dont know if i am the only person that is being monitored, he hasnt touched any of her other friends who i speak to online now and again either, none of my friends or work friends have been affected by this. He has just singled her out

    She reported it to me after i had formatted my machine that he/they were angry.

    No my name is not dr jekyll one of my friends said did i 'sleep-hack' at night in jest but obviously i dont! I wouldnt be asking for help if i was doing any of this and i just want a resolution to it because it is way out there. this is really quite disturbing that someone will go to these lengths to make a couple of people feel quite miserable.

  9. #39
    Senior Member
    Join Date
    Sep 2005
    Posts
    221
    So your friend told you that the cracker was angry? I gather she received that via email?
    I certainly hope she has kept all the emails, because I would just love to see those headers (and I'm sure the authorities would as well).
    Do what Tiger Shark has recommended, it's a very wise idea.

    We'll discuss putting the blame on someone after we figure out what's happening.
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  10. #40
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Are you sending this information to us from the network/computer that we believe is being monitored?

    If so, I'd say that was a pretty bad idea.....

    Do the safe mode thing - even if Trevoke is right that some other apps may be loaded, which I doubt unless we are talking a rootkit it will eliminate all that stuff you have running as the culprit. While you are in safe mode run the taksmgr and lets see what is running.

    I have a horrible feeling that the msmsgrs.exe might be your problem - especially since you say you have stopped IMing.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •