School Trouble

[Madseel]

Alright guys, here is the update on this problem. I have gotten back from spring break and have been keeping tabs on them for the past couple weeks. Looks like they have stoped doing their crap. The only thing they have been doing is downloading crap from kazaa which two of the three stopped doing. So now the only thing left is to put on a filter that wont allow kazaa to connect. Well thanks alot guys. You all really helped me out alot. I couldn't have done it without you all. Thanks a million.

[spaceghost7]

Dose you school not have a computer department? We have 4 guys at are school that would be working on this...ok not that me and my friends would not wanna help?

oops didnt finish reading the thread...well then I guess that your school is happy to have you...sorry again

[mark_boyle2002]

Heres a great one.

Install an antivirus such as norton or any anti backdoor trojan. (set audible alert)

I would suggest Using a WAV of Iron Butterflys In a Gadda Da Vida.

Turn the volume on the p.c up full on the (speaker/desktop volume/output volume)

Disable all the sounds on the machine other than alert noise for the virus if it uses windows default sounds)

When they try to install the trojan the anti virus will play the noise and you catch em in the act.

This is how we caught some malicious users at my employers.
Was rather funny watching them trying to work out why in a gadda davida (theme from manhunter) was playing

[Jo-W]

Originally posted here by mark_boyle2002
Heres a great one.

Install an antivirus such as norton or any anti backdoor trojan. (set audible alert)

I would suggest Using a WAV of Iron Butterflys In a Gadda Da Vida.

Turn the volume on the p.c up full on the (speaker/desktop volume/output volume)

Disable all the sounds on the machine other than alert noise for the virus if it uses windows default sounds)

When they try to install the trojan the anti virus will play the noise and you catch em in the act.

This is how we caught some malicious users at my employers.
Was rather funny watching them trying to work out why in a gadda davida (theme from manhunter) was playing

Good idea, but what if they disable the virus scanner first (the most whill, before the virus scan deletes the trojan)

[mark_boyle2002]

Use API program such as api spy or api detective to hide the services or processes being run by the antivirus programs.

I think the class is #32770 + hwnd to hide norton.

M

[Trust_Not_123]

I always say this. Total security is impossible.

You can lock down a box as much as possible, usually its from 'outside' packets. but when its on your own network the rules change and bend slightly. now, if its impossible to stop hackers from outside your network, you have even less chance of doing it on your own... so i cant realy offer you any more help except that which has already been given.

so here is my saying:

If someone really wants to get into your system, then they are a comming....and theres not a damn thing you can do about it

hope you solve your problem soon

[Networker]

Madseel ,
Their is many posts in that thread, maybe the following idea had already been mentionned tell me i'll remove the post.

The idea is based on the assumption you "own" the PCs from which the script kiddies are messing from.
You could install some IDS (like WINSNORT http://www.snort.org/dl/binaries/win32/) on several PCs that might being used. The point is that thanks to snort you'll be able to set it up to detect in a near real time manner that a chap is messing around.
To do that you need to centralized in a safe PC logs & alert.

You can do that by scanning periodically the log files or be dynamically alerted when an event occur.

Extract from: http://www.snort.org/docs/faq.html
Q: How do I process those snort logs into HTML reports?

A1: One popular solution is SnortSnarf, a tool for producing HTML
out of snort alerts for navigating through these alerts
(and doing a whole lot more).
http://www.silicondefense.com/snortsnarf/

A2: If you want to set up logging to a database you could try ACID
Some documentation describing the current ACID functionality:

http://www.cert.org/kb/acid/

Thanks to the IP address you'll be able to detect the PC on which the attack is launched & catch the bad guys.

[UpperCell]

I was a tech at my school system a few summers back, and the bottom line is - as has been said before - you really can't secure 98 anywhere close to completely, and if your network admin isn't in on it, the situations hopeless.

I was also one of those type kids that your having trouble with now, always messin with the network. And I found out the easy way, that if your net admin isn't paying attention to security, anyone can own the network, as we did. We had netbus running on so many computers it wasn't funny, and we kept a list on the networks NT 4 server! (this is all before we even knew the physical location of the server, all through stupid default config IIS stuff) on which we also had napster runnning as a system service (don't ask me how we did It, my freind set it up and I've since forgotten how) When I got bored in some classes, I would make a CD-ROM tray open in some random classroom or something. I suck!

Anyways, my point: If your sys admin isn't in on it... i.e. willing to upgrade windows, which costs an absurd amount, all your ever gonna be doing is playing games with the malicious guys, so have fun with it!
Or you could surprise us all and make a custom prog that would secure windows 98 but I wouldn't recommend trying.

[paldie]

Originally posted here by Madseel
Thanks. But how can you set up netcat to run when the computer restarts? The computers are restarted every day and i dont want them to know it was me catching them.

You can also add it to the registry. Autoexec.bat will work like a charm as mentioned but it is one place most people look to disable stuff from running. You have to know the registry key to look when you put it into the reg.

On the other hand you can also F-Up the system if you don't do it right...

Originally posted here by Madseel
Alright, here is what i have done so far.
I installed the logger program that hatebreed2000 recommended.
I opened up the sub7 program they were using and got the ip's that they had been connecting to.
I then scanned the network for any other server files that wasn't on the sub7 drop down menu.
Ive recommened to my teacher to put some sort of cam facing the computers that those guys use to show that they were on it at that time.
I tryed the tightVNC Maverick811 recommended but couldn't get the icon on the system tray to go away so i erased it. Any one know of any other program or steps to take to get them.

Oh, and it is a computer lab.

Thanks for your guys help so far. Now i have to wait till after spring break to see if it goes successful.

Try using RAdmin remote control program. There is also a setting to remove the icon from the SYSTRAY.

Have to admit since thye have seen to stop doing what they are doing then, in one way you have won. In another way, they just stopped so they kind of won cause thye never got caugth 'red handed' Anyway, all in all bet you learn a few things from this exercise, which is the nature of the game here.

[o_kcin]

My school uses FoolProof to prevent malicious use and Altiris Vision to monitor what users are doing.

there's also some physical hardware in the box to keep users from making any permanant changes to the drive.