Hi spinola-ga
The first thing I recommend is running a thorough virus scan.
You should already have some sort of regularly updated virus scanning
software already on your pc. This is just a "must have" these days.
The biggest problem I noticed amongst home computer users in regards
to security, was having virus scanning software that was not regularly
updated. If not updated on a regular basis, the virus detection
software will not be able to detect the "newest" viruses, trojans, and
other security threats. And believe me, there are people out there
with nothing better to do than to sit around and create new ways of
exploiting weaknesses in firewalls and virus detection software. If
for some reason you do not already have virus detection software
already installed, there are some reputable websites that offer to
scan your hard drive for free.
Online Virus scanning:
http://housecall.trendmicro.com/housecall/start_corp.asp (Housecall)
http://www.ravantivirus.com/scan/indexn.php (reliable antivirus)
http://www.commandondemand.com/eval/cod/codns6.cfm (Command on Demand
for Netscape)
http://www.commandondemand.com/eval/cod/codie.cfm (Command on Demand
for Internet Explorer)
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
(Panda's online virus scan)
Now, the next thing I will discuss is your firewall. Since you have a
DSL connection, you should have some sort of firewall, as all
broadband users should. You might be able to review your logs from
your firewall to determine what IP addresses you were connected to,
what ports were being used ect. If your not using a firewall, then
it's vital that you get one now!
http://www.dslreports.com/information/rated/security
A list of some firewalls
How can you tell if you have been hacked?
http://www.dslreports.com/faq/4190
"Always look for strange behaviours by your computer. It's a good idea
to be pro active and every once in a while look at all the programs
that are running in the background and look for strange or unfamiliar
program names. It is also helpful to always look for listening ports
on your machine. You can do this by typing Netstat -an in a command
prompt (DOS) session. Look for ports that are marked " listening " and
compare those port numbers with several Suspected Trojan port lists
available on the Internet or seek
help from other DSLR members in identifying the purpose of those
ports."
If you have trouble understanding the results when you run Netstat,
hackerwhacker has a online form in which you can cut and paste
sections of the output that you have questions about, they then will
attempt to annotate the port and ip numbers with more understandable
results. (http://hackerwhacker.com/asknetstat.dyn)
http://www.hackerwhacker.com/how.dyn
"In a huge majority of the cases, no, because the most popular pc
operating system does not record Internet activity. It is impossible
to know if your computer has been cracked unless the cracker does
something extremely obvious. This is very scary. A cracker might have
been using your computer for years for nefarious purposes and you'd
never know it!
If a cracker is extremely clumsy you might see some indications that
your computer may have been cracked.
Hard drive starting up by itself when nothing is going on.
Receiving E-Mail from strangers.
Floppy disk light coming on by itself.
Sounds playing when they shouldn't be.
Your computer doing things you didn't ask it to do.
Your computer suddenly dialing up the Internet.
Your computer locking up or freezing while you are on the Internet. "
Use Windows 98 utilities to identify security risks and threats:
http://www.zdnetindia.com/help/alerts/stories/80398.html
This page gives you instructions on how to install and use some of the
Windows 98 utilities such as;
NetWatcher:
Lets you see who is using the shared resources on your computer at any
given moment in time, across the network.
System Monitor:
Within System Monitor, click on the Add button and choose Microsoft
Network Server from the category field. Choose the parameters that you
want to track. This will be added to the chart. Use this to determine
if your system is slowing down on account of shared resources. You may
need to disconnect a user or un-share a shared resource to remedy it.
Win IP Config:
Win IP Config lets you view all your current TCP/IP settings in a
single menu. By clicking on More Info, additional information
regarding the network can be viewed.
If the IP address was dynamically allocated by a DHCP (Dynamic Host
Configuration Protocol) server, then you can use the Release and Renew
buttons to release and renew the IP address.
Netstat:
Use Netstat to display protocol based statistics as well as all
current inbound and outbound connection. Netstat can be configured to
display all connections and listening ports and Ethernet statistics,
as well as statistics on a protocol basis. This would include
statistics for TCP, UDP, ICMP and IP. This is a very useful command
line utility that lets you know who is accessing the machine.
Net:
The Net utility in the command line contains a host of other
interlinked utilities. You can choose to do basic network
configuration, diagnostics, inspect print queues, as well as
connecting and disconnecting to the network from the command line.
Type in net /? on the command line to access more information on the
different commands within the Net utility.
Detecting Backdoor Programs:
http://www.saintcorporation.com/demo/saint_tutorials/backdoor_found.html
Some of the various backdoor programs and the ports they use.
Prevention:
Things you may want to think about implementing to avoid future
incidents.
https://grc.com/x/ne.dll?bh0bkyd2 (Sheilds up)
Scans your computer online for ports that are vulnerable.
http://www.dslreports.com/scan
Another online port scanner
http://www.dslreports.com/faq/4415
recommended Anti-Trojan programs
http://www.grisoft.com/html/us_index.htm
Grisoft's free anti-virus protection software
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/ChkList/dsktpSec.asp
Microsoft recommends Windows 98 users should take the following steps
to ensure security;
1. Visit the Windows update site and install the latest critical
updates.
(http://v4.windowsupdate.microsoft.com/en/default.asp)
2. Familiarize yourself with these Best Practices in Enterprise
Security
(http://www.microsoft.com/technet/security/bestprac/bpent/bpentsec.asp)
3. Update your anti-virus tools and signature files from viruses.
Check out the Virus Alerts regularly.
(http://www.microsoft.com/technet/security/virus/virus.asp)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/askus/aus1001.asp
"Defense in depth is a military practice that applies directly to
information security. To rely on a single piece of software or a
single device to provide all protection is insufficient: compromise
that single layer and there is no more security.
Protecting your home computer isn't a one-time task. You need to be
diligent here: install a personal firewall, install and frequently
update a virus scanner, and keep your computer up-to-date with
security patches. Visit
http://www.microsoft.com/technet/security/bulletin/notify.asp and
subscribe the Microsoft Security Notification Service. When you
receive notice of a security patch ("hotfix") that applies to your
computer, install it right away. "
Not sure of when your last update was?
http://www.wugnet.com/tips/display.asp?ID=207
Instructions on how to access your Windows Update log file. (This log
file will give you details about all of the updates installed, as well
as build (version) numbers and the dates and times when they were
installed.)
http://www.firewallguide.com/
Help in choosing a firewall
Determine if file and print sharing is needed, if not, then disable
them!
http://comp.bio.uci.edu/security/disable_win_sharing.htm
(Instructions)
http://www.seifried.org/security/basic/win98/
" Part of the functionality that windows offers is network file
sharing and printer support. If you only have one machine chances are
you do not need these features"
"Enabling windows printer and file sharing can allow an attacker to
gain access to your machine, and the same goes for Windows network
client. Installing these components and enabling them is the default
in Windows, so unless you specifically disable or remove them they
will be present. With these software component installed a remote
attacker can find out a lot about your computer. By querying your
machine remotely they can learn your login name and your workgroup
name and the hardware address of your computer (which can give them
enough information to know what brand of computer you own!)"
http://www.cablemodemhelp.com/windows.htm
Windows 95 & 98 security
http://thedslzone.com/Security.html
Security for DSL users.
http://www.isalliance.org/resources/papers/ISAhomeuser.pdf
Common Sense Guide for Home and Individual Users: Recommended Actions
for Information Security
Other links to check out:
http://www.cert.org/tech_tips/win-95-info.html
Windows 95/98 Computer Security Information
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Steps for Recovering from a UNIX or NT System Compromise (although
intended for UNIX or NT Systems, this page does offer some good ideas)
http://www.cert.org/tech_tips/home_networks.html#I-C
Security for home Networks
http://cable-dsl.home.att.net/netbios.htm
File and Printer Sharing (NetBIOS)
http://www.cert.org/homeusers/HomeComputerSecurity/
Home Computer Security
http://isc.incidents.org/
A great sight that lists the top current security threats and the
ports used.
http://www.viruslist.com/eng/viruslist.html?id=3907
Lists various backdoor trojans
http://www.anti-trojan.net/en/trojportlist.aspx
List of trojans and the ports commonly used
http://www.howstuffworks.com/firewall.htm
How firewalls work
http://www.dshield.org/ipinfo.php
Get info on an IP address
http://www.zdnet.com.au/builder/manage/work/story/0,2000034930,20274660,00.htm
You've been hacked: What to do in the first five minutes
http://www.zdnet.com.au/itmanager/strategy/story/0,2000029582,20274851,00.htm
You've been hacked: what to do in the first hour
http://anti-trojan.virtualave.net/page4.html
What to do if you find your computer being hacked.
http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=103
An interesting article on a computer owners liability if their
computer is hacked and used as a weapon to attack other computers.
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2002-10/5304.html
How can I tell if I've been hacked?
Web pages directly pertaining to the error message "There are 1
user(s) connected to your computer.
Shutting down your computer will disconnect them. Do you want to
continue?"
http://www.annoyances.org/exec/forum/win98/n1023990336
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=441mnskiigvlmgk8edbqsii573vm
http://tinyurl.com/cyby (tiny url for a post from a Google newsgroup)
http://tinyurl.com/cyc3 (tiny url for a post from a Google newsgroup)
http://tinyurl.com/cyit (tiny url for a post from a Google newsgroup)
http://tinyurl.com/cyjj (tiny url for a post from a Google newsgroup)
I you have any questions about the information I have provided, please
feel free to request a clarification of my answer. Be sure to give me
enough time to respond before you rate the answer!
Best of luck to you!
Thanks,
chellphill-ga |
Clarification of Answer by
chellphill-ga
on
29 May 2003 13:39 PDT
spinola-ga,
In regards to your question, "If someone had managed to install a
program would that normally show as a task when you do ctrl-alt-del?"
The answer is.... maybe. It all depends. Some viruses and
backdoor programs will show up in your task list. For example
http://search.freefind.com/find.html?pageid=r&id=6940792&mode=ALL&n=0&query=backdoor
shows a few of the backdoor programs, and how they might show up in
your task list.
Here are some other examples:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.easyserv.html
Backdoor.Easyserv does not display any indication that it is running.
You can verify that the Trojan is running by opening the Task list
(Ctrl+Alt+Del), where you'll see the name of the running Trojan in the
list. The name of the Trojan is usually Server.exe (see note that
follows). You can remove Backdoor.Easyserv from memory by selecting
Server.exe and then clicking End Task.
http://www.iss.net/security_center/static/3113.php
"Select Antihack.exe, and then click End Task. If Antihack.exe does
not appear in the list, the backdoor is using a different file name
and could be very difficult to locate. Refer to the steps below for
using an antivirus program to remove the backdoor."
However, there are also quite a few that will not show up in your task
list.
http://www.avp.ch/avpve/trojan/backdoor/bo.stm
"The only feature making this utility to be classified as malicious
trojan software - the silent installation and execution. When this
program runs, it installs itself into the system and then monitors it
without any requests or messages. If you already have it installed on
the computer, you cannot find this application in the task list. The
trojan also does not manifest its activity in any way. "
http://www.viruslist.com/eng/viruslistbooks.html?id=65
"Programs that are classified as "backdoors" are network
administration utilities that allow for the controlled removing of
computers on a network. "Backdoors" are similar to commercial network
administration packages that are developed and distributed by software
companies.
The only feature of these utilities classifying them as malicious
(Trojan) software is the silent installation and execution. When such
a program runs, it installs itself into the system and then monitors
the system without any requests or messages. If you already have it
installed on your computer, you cannot find this application in the
task list in most cases. The majority of known backdoor Trojans also
do not indicate their activity in any way."
Sometimes trojans, viruses, and backdoors can be in your task list,
but disguised as something legitimate, for example;
http://www.symantec.com/avcenter/venc/data/backdoor.turkojan.html
". If the operating system is Windows 95, 98, or Me, the Trojan
registers itself as a service process to hide itself from the task
list."
What I would recommend is doing a ctrl+alt+del and take a good look at
what is running in your task list. Have a pen and paper handy and jot
them down that way you will be familiar with them, plus you may want
to look up any unfamiliar tasks on google. Make a note of what is on
your task list at boot up, then start your dsl connection (if it isn't
already connected) and note if any new tasks have been added.
Another great site is
http://www.securityspace.com/smysecure/catdescr.html?cat=Backdoors
It has a long list of various backdoor programs. You can register
(it's free) and choose a backdoor program, and security space will
scan your computer for it.
As to the second part of the question, "Or is it more likely that
although someone may have
connected to the share it is less likely they installed some
software?"
The following links give a bit of insight as to what a hackers goal is
once they gain access to your system.
http://rf-web.tamu.edu/security/SECGUIDE/V1comput/Hackers.htm
"Once inside the system, the hackers second goal is to get what is
called "root" access. That usually requires finding a technical
weakness. Root access means the hacker has unrestricted access to the
inner workings of the system."
http://governmentsecurity.org/articles/SystemBackdoorsExplained.php
"The backdoor for most intruders provide two or three main functions:
Be able to get back into a machine even if the administrator tries to
secure it, e.g., changing all the passwords.
Be able to get back into the machine with the least amount of
visibility.
Most backdoors provide a way to avoid being logged and many times the
machine can appear to have no one online even while an intruder is
using it.
Be able to get back into the machine with the least amount of time.
Most
intruders want to easily get back into the machine without having to
do all
the work of exploiting a hole to gain access."
www.sun.com/blueprints/0502/816-4816-10.pdf
An interesting article on what hackers do, and how they do it.
http://security.tao.ca/keylog.shtml
Detecting keystroke loggers and backdoors.
|