Got a hacked computer

Networking/Security Forums -> Computer Forensics and Incident Response

Author: j7 PostPosted: Sat Feb 06, 2010 7:01 am    Post subject: Got a hacked computer

I am pretty sure I have a hacked computer. Windows 7 OS. I found a profile folder named TEMP created on Jan 3, 2010. The folder is c:\users\TEMP

Underneath that folder are the usual folders like AppData, Documents, Music ... etc. But they are all empty.

Now I have lots of questions:

Given that the attacker can create an account, does that mean he has Admin rights ? I checked in Computer Management, the Administrators group consists of 'Administrator' and my admin account. I don't see a user named 'TEMP' in any of the groups.

In Event Viewer, my earliest entry in the Security logs is Jan 22. Because I stupidly forgot to enlarge the log size. Anyways, I can't see him logging in after Jan 22. I found that by filtering the Security log with event ids :4624,4636,4803,4801.

How can I find out HOW he got in? The machine is behind a Checkpoint hardware firewall. And the machine is primarily used for crunching Seti@home workunits. Sometimes I surf a little bit on that machine too, (Opera 10.10 is my browser) But 80% of the time it is running Seti. So did he come in via a vulnerability in Seti ? Seti@home downloads work from their server and reports back results when workunits are done, and a workunit can take up to 1 day to do. So communications is infrequent. In order to bypass the firewall, I understand one can spoof the source address, but this can only work within a short period when Seti@home is actually communicating with the server, am I right ?

In the Event Viewer, I understand event ID 1000 and 1002 are for Application Hang and Application Error. Both custom views show no entries. So Seti@home didn't cough and choke at some point.

I think it is unlikely that the attacker got in through a weakness in Opera. Because I have labeled it a low integrity app, using the tool 'chml'. So it is running in Protected Mode, just like Internet Explorer. And even if he did get a cmd window, he can't run most of Windows' command line tools because of other lock downs that I've made.

Netstat says the listening ports are 135, 49152-49156. Maybe he got in thru those ports? I understand 135 is used by RPC. And I don't know what the other ports are for.

Apart from knowing how he got in, I wish I could dig out some of his tools, if he brought along any. But his folders are empty. Or perhaps he could have hidden them away in alternate data streams ? I don't know how to find ADS items either.

Another question is if he installed a backdoor. Since he created an account, there must be a way of getting back in. How does one find that?

I think this attacker is a smart one, cause he picked a machine that is infrequently used. And usually I just quickly log in once a day to see if Seti@home is ok.

What else should I be doing/looking for?

Author: j7 PostPosted: Sun Feb 07, 2010 5:06 pm    Post subject:
It appears that the attacker wrecks things. Maybe he did that upon my discovery of his intrusion or maybe he wrecked things since he gained entry.

Internet explorer cannot connect to the internet now. And the IE web button to 'diagnose connection problem' also fails with an error: 0x800706BA.

Opera doesn't load properly when set to low integrity. It would appear in task manager running processes, but not show up on screen.

I probably broke forensics rules by attempting to fix these 2 problems. I reinstalled both programs but the problem remains. I have read that one should make a copy of the HD and work from there, but I don't have a spare HD. And procecusion is not the goal, just education.

I also ran an 'undelete' utility to see what was erased, and didnt find any exe's. So the attacker may have been careful not to leave traces.

Forgot to mention above that I use a standard user account for day to day running of Seti@home. And only use the admin account when necessary.

Author: j7 PostPosted: Sun Feb 07, 2010 6:58 pm    Post subject:
It seems all modules of 'Trouble Shooting' in Control Panels fails with the same error code above.

System Restore times out creating a shadow copy.

SFC /SCAN NOW validated all its programs successfully.

Author: j7 PostPosted: Sun Feb 07, 2010 8:19 pm    Post subject:
Found some directories with an earlier date : Dec 13, 2009. Like \Appdata\Roaming\Microsoft\System Certificates" and \Appdate\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories"

So now it seems that the attacker gained entry on Dec 13, 2009.

The method that he foiled System Restore didn't take into consideration that when booting from the Win7 DVD and doing a System Restore from there, it doesn't seem to create this 'Shadow Copy'. I was able to restore the system to Dec 31, 2009. And the 2 programs works correctly now. He could have tried to delete the restore points entirely, but maybe he was unable to obtain SYSTEM account rights necessary to do so, or he deliberately left me a way out.

However, seeing that he created the profiles folder on Dec 13, and could have initially gained entry earlier still, this still leaves the possibility of him having installed a backdoor. And my earliest restorable date was Dec 31. And, there may be other things that he has wrecked and installed which awaits discovery.

The attacker is experienced, and appears to have waited for some time before wrecking functionality obvious to the eye.

Author: sheik_in PostPosted: Tue Feb 09, 2010 8:32 am    Post subject:
Hey J7.. Are you sure your computer is compromised. I suspect it could be some kinda virus.

Author: j7 PostPosted: Tue Feb 09, 2010 8:25 pm    Post subject:
I think it is not a virus because viruses do not create user accounts. And I hardly do anything with it except browse to forums. Now I understand that even well known sites can get hacked and install malware, but it doesnt explain the existance of the new user account.

I ran a scan with Comodo antivirus and MalwareBytes, both found nothing.

Author: JRBTech PostPosted: Fri Apr 23, 2010 3:43 am    Post subject:

I know it has been a while since you posted, but just wanted to let you and anyone else that looks at this thread know that the c:\users\TEMP account is used when Windows has a hard time logging you into the system. It is a default account created by Windows 7 and is only used until your profile can be reconnected.

All other issues seem to point to a possible malware attack, but if the account is the only thing truly worrying you, then you should rest at ease.

Author: verdur0211 PostPosted: Fri Mar 11, 2011 12:01 pm    Post subject: Got a hacked computer
Install now. Once installed, you will need to enable a boot time scan. Once you enable the boot time scan, restart the computer. It takes a while.Another route is to go ani malware bytes, but that's only if you have xp. If you have Vista or Win 7 is to use a boot time scanning with avast. only problem is if the system files are corrupted, then you need to reinstall Windows, no matter what you do. free download avast and tell it to delete eveything that appears.Avast is much better than AVG . I switched to avast. avast is probably the # 2 anti-virus software is now # 1 if it is free antivirus.

Author: Sheena PostPosted: Fri Jun 24, 2011 4:35 pm    Post subject:
are you sure ... ? may be there is some thing wrong with the systen or there is some kind of virus ?

Networking/Security Forums -> Computer Forensics and Incident Response

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group