I have this friend..no it`s not really me..who is being hacked on a daily basis. She has a basic HP computer with cable and she is smart enough to turn off her pc when ever she isn`t using it. However, these hackers..yes, she knows there is more than one and she even knows who they are although they completely deny it...are able to access her pc, pull up anything they want, ie: personal poetry and pictures stored in her oc and send them back to her, the latest being a picture of herself as wallpaper on her desktop.
She says they also have gained access to her hotmail acct. Yes, she`s been notified that a third party has gained access but there is nothing they can do.
Nothing the hackers have done is harmful or threatening but it is very terroristic to have someone invading your personal space at will.
One of the main problems is the hackers are not amateurs. They are software engineers with too much time on their hands, highly intellegent and untraceable.
Anyone have experience in this area? Thanks, Gary

First I would suspect she has a trojan installed on her computer such as back orfice, sub seven, or others. If it was my machine I would do a complete format and reinstall, but if you might be able to get by without doing that. I would recommend installing a good antivirus program with the latest updates and scanning for viruses. This should detect any trojans. Then I would install a good firewall program such as BlackIce or Zone alarm, maybe even both since she is being targeted. Then I would check that she doesn't have netbios bound to TCP/IP in the network settings. Go to www.grc.com (http://www.grc.com) and read up on security. They also offer a free security scan. Let us know what you find.

bdog...that`s exactly what she`s done or atleast part of it. She`s scanned for trojans...nothing, she`s put up firewalls...not sure which kind....no luck. I`m not sure about the TCP/IP thing and I know she hasn`t done a clean re-install yet. I`ll let her see this and see what she can tell me. Thanks

I agree with bdog that it's likely a Trojan that was placed on her system.

Here are the common places to look for a trojan being loaded:
System.ini- Under the section , check this line: "shell=Explorer.exe" nothing else should be on this line.
[b]Win.ini- Check for anything you don't recognize under "load=" or "run="
Registry- Go to:
Hkey_Local_Machine\software\microsoft\ windows\current version, when your there, look under Run, RunOnce, RunOnceEx, RunService, and RunServicesOnce.

Also check the same keys under:
Hkey_Current_user\software\microsoft\windows \current version.

Couple more places in the registry would be:
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\batfile\shell\open\command
These are not to common, but the entries for the above should read ""%1" %* with nothing else there.

Might as well also check the startup folder, but that would be to obvious.

Even the best AV program will miss a lot of trojans, the best thing to use would be a Trojan scanner. Here is my favorite, "The Cleaner". http://www.moosoft.com/
It's free for 30 days, make sure you download the current definitions and set it to scan everything, including compressed files.

As for a firewall, bdog is on the money again. If she is using ZA, make sure all the programs allowed to access the internet are legit. Personally, I use BI to stop the incoming and ZA to block the outgoing connections.
Black-Ice would give your friend a good evidence log, and that might be the best way to get these people to stop. Especially if the attackers IP address matches the people that she suspects.

Best of luck to you and your friend Gary, feel free to contact me if there is anything I can do to help.
Dave

Remember: A good software engineer can write their own trojan. Not that hard, really. Since it's unique, virus scanners will not pick it up.

However, commands to a trojan have to get in somehow, probably over TCP/IP. Make sure your friend has the firewalls she uses set up correctly. If it's not filtering the correct traffic, a firewall is rather useless.

Also, tell her to run 'netstat' from a command prompt during an attack to see where the commands to the Trojan are coming from. Then do a reverse-lookup on the IP to get contact info for the ISP or host that the attacks are coming from.

Call up said host, and work with them to try to find the identity of the hacker.

Good Luck.

I told her you guys would have some suggestions.....she`s pretty fried from the whole thing. I let you know what happens. Thanks again,Gary

Wow, there is so much that can be done.

First thing that came to my mind is "PC-Anywhere" by Symantec, if she has this on her computer it ought to be removed. - though I know that's probably not the problem.

Personally I'd switch to Linux or W2K for surfing the web, because these can be secured, whereas Win9x security is a little like putting a screen door on a bank vault. I'd probably at least setup a Linux firewall on another PC - oh yeah, with a nasty message to those undesirables wishing to log on...something to the effect that they were Masters of their own planet- "Masters" of the planet "Bator."

In this particular case I would save my personal information (less any files that might be suspect), format the drive, and reinstall the operating system. I would also request a new IP address and password from my ISP, and generally tighten up system security.

If you study the grc.com site, you'll see that it's very difficult even for expert hackers to (unknowingly to you) read files off your HD if you don't have TCP/IP (or whatever Internet protocol you use) binded to a Networking protocol. Of course, if you allow an unknown ActiveX control, etc., to be loaded & run from questionable sites (browser security settings can easily prevent that), or d/l & run unknown programs from email, websites, etc.

[This message has been edited by BFlurie (edited 10-20-2000).]

Could she contact her cable company and try to get a different IP address for her cable modem? That could be a temporary solution while she sets up her security perimeter.

All are good suggestions. I work with her sporadically so I can only pass on your advice and wait to see what she does. Thanks again and keep `um coming. Gary

she knows there is more than one and she even knows who they are although they completely deny it


that line there is enough for an investigation..if they were in her system and they think they are so smart then chances they dont cover thier tracks very well...most of them really dont like they should...why does she think it is "them" that deny it??

Also...If she has a cable modem, make sure she has all file and print sharing turned off.

Codybear...my friend is rather selective in the information she shares. She mentioned individual men in 2 different states that I recall. I figured her relationship with these men was her own business and that I would try to help where I could. I`m curious, too, but stop at asking how she knows.

Does she have any male friends who would be prepared to give these maggots a good kicking? Usually works where the law is powerless to help.

LOL CM sometimes you just crack me up.

An IP address change is the first thing I would do. The problem is they could still find out her new IP address if she does have a Trojan and does not reformat or get rid of it.

OK its time to Take out that boot disk copy the format command onto it and FORMAT That Son Of A B**** install windows then make her change her hotmail Password if this still doesnt work take out a shotgun and Shoot the computer sevral times and buy her a new one....

id bet She will really like a new comp!

Check this out as well.
http://www.geocities.com/a3a17013/tippages/beemerswindowstips/dhcp.htm

Cheers!

Just a brief update...finally worked with the lady again. She hasn`t tried anything , yet. She`s hesitant about pissing these people off. She did tell me that "they" write/wrote programs for excite and yahoo of which she uses both. She also said they know immediately when she`s online and even know when she`s not using her own computer.She hasn`t tried Black Ice yet and does show some interest in it.More as it happens.....

Wonderful, people are hacking your friends computer and she is afraid to '**** them off'? How does she know, they know when she is on/off line?

Real intelligence at work here. Then again someone using a cable modem without a firewall is less smart than a box of rocks.

They (whoever they are) are accessing her PC over the Cable network she shares her internet connection. That is basically the only way the behavior described exist. Turning off sharing and removing the NETBeui protocol.

If the machine is compromised by software placed by these hackers, one should be able to determine what and where these programs exist and remove them.

Trash the hotmail account and get another, though if she continues as is, that will be compromised shortly.

They live in 2 other states?

She should casually mention (in an email to you perhaps?) that she's contacted the fbi and they're watching now.

Violation of privacy may seem insignificant, but since it crosses state lines...

Also, any evidence she has should be reported to Yahoo & Excite. If they're as slick as they want her to think they are, she wouldn't know now!

Chances are these are just some lamers having their idea of "fun" and neither is employed at either. I can't imagine employees still being employed doing that.

Just for giggles, have her ask you (in email)about Echelon & Carnivore...

[This message has been edited by Ygor (edited 10-24-2000).]

You might also have her consider a personal firewall like Zone Alarm (free)after all the nasties are removed.

Rat...
"The object of war is not to die for your country but to
make the other ******* die for his."
--George Patton

Tell her to download and install ZoneAlarm, as Rat indicated. Then set the security levels to "high" for all connections. Then if someone attempts suspicious activites, the attack will most likely be blocked, and the offender's IP address will be logged.

After collecting the IP address, you can trace the offender back to their ISP, thus causing them a major headache! http://sysopt.earthweb.com/forum/wink.gif

Later,
Robert Richmond

I appreciate all the sound advice. I won`t be working with her again for about a week so I will have to wait to share the latest advice. Thanks again and I will keep you posted.Gary

Then post IP addresses of these people on a new thread here in sysopt and hope someone does revenge! http://sysopt.earthweb.com/forum/smile.gif

Naw... no one here would do anything like that now would they?

Where is that evil laugh coming from??

One way to determine if there is a trojan on your computer (that is not detectable by trojan cleaners) would be to do a full port scan. The GRC site has a basic scanner, but it doesn't scan very many ports. The link below has a scanner that should check all ports. If it picks up an open port with a high number then there probably is a trojan on the system. Make sure you have closed programs like Realplayer and ICQ because they use higher numbered ports.
http://www.sdesign.com/cgi-bin/fwtest.cgi


Hope that helps,

Ben

With respect to the port scanner at sdesign.com, it does not scan all 65535 ports. It scans all udp and tcp ports from 1 to 1024 and those listed on the following page: http://www.sdesign.com/securitytest/portlist.html

If anyone using our site would like to request additional ports, just e-mail them to me along with a description of what the port may be used for.

Steve
Webmaster@sdesign.com

There is a great program for doing most of what needs to be done to manually find and eliminate her problem. The program is called Advanced Administrative Tools by G-Lock Software. www.glocksoft.com (http://www.glocksoft.com) It is free for 30 days, with some restrictions. It does a full port scan on ANY computer, as well as show network status, whois lookups, sys info, processes, etc.

Another great program for checking hidden background tasks as well as a very good computer lock is System Intrusion Console by Diganet www.diganet.com (http://www.diganet.com)

Hopefully, this helps....
Good Luck
Donawesome