Computer joined the UN w/o me-logged 12,600 events

[Guest]

Hi, First of all, apologies to Phillip for the TEST message yesterday. It was the first time I had been able to get out since Friday and I didn't want to type yet another message until I knew it would post. And no, that isn't my email addy.
WinXP Home SP1, (in a residence) Dell 4600c (refurb), 266MgHz, 256RAM, 40GB HD, BEFSR41 Router w/WallWatcher attached (but nobody else doing ICS), set up 1/16/04. WU as of 2/11 said all criticals were installed. Offfice 2000 SP3w/criticals installed. Norton A/V updated daily. But something still didn't feel right. Baseline Analyzer on Tues/18 said I was missing criticals MS02-050, 054, 072, 030, 051. All else was good except I was using my admin acct as a user, and I needed MSXML security updates 3.0 and 4.0. I didn't even know about those!!!?? WallWatcher started going crazy Fri/20. Logged 1,541 Incoming and outgoing events, WW was off for 4 hours, and only 615 of them were out. Sat/21 had 5,547 events, only 840 out. Sun/22 2,930 events, 447 out. Most incoming were on Port 1214 and I don't have any p2p sharing. Then I noticed that many of the converted IP addresses were not from the US. Put my hands on a country code list and there were 30+ different countries represented. Also, 40 GB HD only had 10 GB free space and memory was critical. I came here Sat to post a what is this question, as Norton, Spybot, Ad-Aware all said A-OK. Kept crashing just as I would click "send". In fairly rapid order I discovered that CD burner was diabled, (no floppy drive), email attachments were wiped clean except for 1st page, and I was no longer the admin of my domain, so to speak. Admin tools showed a whole bunch of stuff in COM+ that I didn't do, apps and system event logs were full of errors and security log had numerous password failures on my acct and a friend's admin acct. Excel & Access going to COM+. Error 4609 that a file on d:\nt\com1x\src\events\tier1\eventsystemobj.cpp had a bad code return. D:\??? I only have a C=HD and a D=CDRW+DVD. Error 4689 about the CUSTOM components, also on D:\. I have no admin rights. Can't stop or start services. Booting up in safe mode did not fix the problem. Pulled DSL and plugged in later. The UN had not gone away. Went to neighbor's house to borrow computer to try to reach ISP (earthlink). Neigbor, who also has earthlink DSL and same router, had the same COM+ components w/o his knowledge, but according to his limited router log did not have the UN knocking, yet. Called CERT on Monday/23 (2,249 total events, 441 out, DSL only on half the day). They asked for logs and by using a different domain email account, I got them to CERT. Never did reach earthlink, but what else is new? Monday night, without my help, admin rights came back. All of my files are dated Mon/23 between 11:30 AM and 8:?? PM and there is a lot of info, but nothing that makes sense to me????? I have lots of info I think, but I'm not sure what is pertinent or not. Now have 27.9 GB free HD space, but still have 45 processes going. Not sure how to interpret F-Port or TCP view. Stuff is still in COM
What do you all think? Can lightning strike twice? The Chinese Gov't hijacked our office DSL in 2001 MayDay incident and used it to hack into a UK university. Earthlink called me that time..so did the FBI
TIA, Carol

 

[Roger Abell]

Can lightning strike twice ?
Yes.
And compared to real lightning, with comp systems it is
actually more likely than less.

It seems that you have two issues, determining the immediate
course of action, and the longer-term based on post-mortem
from this

The immediate is to get to a known good, and controlled, state.
This likely means rebuilding fresh. Hopefully when you said
"master of my domain" you did not mean you have lost verifiablility
of control and command over a Windows domain. Big rebuild.

Whether to keep the main compromised system intact for forensics
and/or post-mortum probably depends on how critical that machine
is and the simplicity of replacing it. If it is kept intact, don't feed it
a network wire. Without having the machine intact, you may loose
much in the way of ability to learn about the weaknesses used and
will loose all ability to assist externals in forensics about the event.

One way or another, you do need to address the longer-term issue
of preventing this from happening again. You need to determine
where was / are the weak points. From you listing you have done
a number of things right. But there is something not done. Finding
this/these is not simple. For example, does your router/firewall
have known weaknesses, service releases, etc. .


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Hi, First of all, apologies to Phillip for the TEST message yesterday. It

was the first time I had been able to get out since Friday and I didn't want
to type yet another message until I knew it would post. And no, that isn't
my email addy.

WinXP Home SP1, (in a residence) Dell 4600c (refurb), 266MgHz, 256RAM,

40GB HD, BEFSR41 Router w/WallWatcher attached (but nobody else doing ICS),
set up 1/16/04. WU as of 2/11 said all criticals were installed. Offfice
2000 SP3w/criticals installed. Norton A/V updated daily. But something still
didn't feel right. Baseline Analyzer on Tues/18 said I was missing criticals
MS02-050, 054, 072, 030, 051. All else was good except I was using my admin
acct as a user, and I needed MSXML security updates 3.0 and 4.0. I didn't
even know about those!!!?? WallWatcher started going crazy Fri/20. Logged
1,541 Incoming and outgoing events, WW was off for 4 hours, and only 615 of
them were out. Sat/21 had 5,547 events, only 840 out. Sun/22 2,930 events,
447 out. Most incoming were on Port 1214 and I don't have any p2p sharing.
Then I noticed that many of the converted IP addresses were not from the US.
Put my hands on a country code list and there were 30+ different countries
represented. Also, 40 GB HD only had 10 GB free space and memory was
critical. I came here Sat to post a what is this question, as Norton,
Spybot, Ad-Aware all said A-OK. Kept crashing just as I would click "send".
In fairly rapid order I discovered that CD burner was diabled, (no floppy
drive), email attachments were wiped clean except for 1st page, and I was no
longer the admin of my domain, so to speak. Admin tools showed a whole bunch
of stuff in COM+ that I didn't do, apps and system event logs were full of
errors and security log had numerous password failures on my acct and a
friend's admin acct. Excel & Access going to COM+. Error 4609 that a file on
d:\nt\com1x\src\events\tier1\eventsystemobj.cpp had a bad code return.
D:\??? I only have a C=HD and a D=CDRW+DVD. Error 4689 about the CUSTOM
components, also on D:\. I have no admin rights. Can't stop or start
services. Booting up in safe mode did not fix the problem. Pulled DSL and
plugged in later. The UN had not gone away. Went to neighbor's house to
borrow computer to try to reach ISP (earthlink). Neigbor, who also has
earthlink DSL and same router, had the same COM+ components w/o his
knowledge, but according to his limited router log did not have the UN
knocking, yet. Called CERT on Monday/23 (2,249 total events, 441 out, DSL
only on half the day). They asked for logs and by using a different domain
email account, I got them to CERT. Never did reach earthlink, but what else
is new? Monday night, without my help, admin rights came back. All of my
files are dated Mon/23 between 11:30 AM and 8:?? PM and there is a lot of
info, but nothing that makes sense to me????? I have lots of info I think,
but I'm not sure what is pertinent or not. Now have 27.9 GB free HD space,
but still have 45 processes going. Not sure how to interpret F-Port or TCP
view. Stuff is still in COM+

What do you all think? Can lightning strike twice? The Chinese Gov't

hijacked our office DSL in 2001 MayDay incident and used it to hack into a
UK university. Earthlink called me that time..so did the FBI.