Got hacked again

[davek]

The other day I noticed that my beyond tv box and my wifes computer restarted. I went to see what was going on and on my wifes her anti virus is permanantly disabled so I cant do a virus scan. And on my beyond tv computer, it shows that under run there was a program jbouncer.exe that was ran and is now in the recycle bin. I cant figure out why this is happening, I have port 8126 open for snapstream in my router and a port for Remote Admin open for my wifes computer. I have 3 other computers on my network that dont appear to have had anything done to them. What can I do to stop this? This isnt the first time this has happened.

[fester]

what kind of firewall? try ipcop v1.3 linux fw (free) but you need to run it on old machine you may have lying around or just buy an old pentium2 machine. IPcop is much better than any FW which resides on a modem/router. You get snort IDS, stateful FW, DHCP server, etc... very powerful. best anti virus IMO is macafee virusscan - then install zone alarm on all your machines. So you get 3 dynamic perimeter defense systems working of which one likely will log /prevent malicious attempt

[noodleNT]

Get rid of IRC. Reinstall virus software. Patch and update virus software and windows. Run virus scan. Once all that is done schedual your virus software to update frequently. I find daily should be the longest time between updates due to the increase of virus and worm releases. Also schedual full system scans weekly.

Google toolbar is an excelent idea. I now install it on every users machine at work. People love google and hate popups.... the toolbar is perfect.

Download Ad-aware. Install, update, full scan. I bet its spyware causing this problem. You would be surpised how easy it is to get on your machine. Even I get hit now and then and I question every download!

Check for a firmware update on your router too. There might be some security whole in it that people are taking advantage of. Disable "ping reply" on the router. This is also known as "Stealth Mode". You don't want it responding to every script kiddy on the net. Also make sure you dont have remote admin up on the router. Your just asking for trouble.

Wireless router or AP? SECURE IT! Like 80% of the people out there don't do this. It's like leaving your doors and windows wide open and a big flashing sign on your roof saying "ROB ME PLEASE". Especialy if you live in an appartment or dense neighborhood.

[SHS]

My guest is she open attach email

[davek]

Hmmmm. I had a guest over at my house over the weekend and he was using my internet. rrrrrrrrrrr.....My router is up to date, I run adware and spybot all the time, I have Nortan Antivirus on, I do not use any irc's, and my wife doesnt check her email at her home computer. So I assume that my friend did somthing. I keep close tabs on my computers, try to keep that spyware and crap out but stuff like this always seems to slip through and really screw up things. Is there any way that I am being hacked through the open ports I mentioned? I usually do not have the remote admin one open, just the one for beyond tv and sometimes AIM.

[SHS]

I don't think that Java app merrypig beside malicious codes are all over place just going to wrong web site or even one of thoses dran auto hiding popup that try get and baddest of all of them are thoses Security Warning (Publisher Authenticity Verified Box) where you YES or NO.
Beside I see no java client over and there not in EXE.
You know it really eazy to fine where they have been by using History that build in to IE.
Look Web Temp folder to.

[davek]

my beyond tv box never gets touched, nor does it ever leave fullscreen mode. That is why I was surprised that it got broken into. Can I assume that someone got full control becauase under the run history it says they ran C:\JBouncer-1.0\run.bat? And then another command that was entered is cmd. Then the jbouncer was put in the recycle bin but never emptied. This is what the batch file consisted of:
java -classpath .;lib/pircbot.jar org.jibble.jbouncer.JBouncerMain
pause

How do I get rid of this? I just did a reinstall a few weeks ago and I would hate to have to do a full reinstall again. I knew I should have ghosted soon.

[SHS]

Sometime you should also do disable Messenger and Remote Registry Service under your Control Panel | Administrative Tools | Services.
Check for any odd looking Services wail you there
Check you Startup folder
Run Registry Editor
Check
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\
Do a Search in Registry Editor for jbouncer
Also do the same with Windows Explorer

[fester]

OK once again, IPCop v1.3 is your solution. When you have a FW which resides on the router itself (or the client) then it is nothing more than a packet filter - which is not a "firewall" by any measure. Conversely a stateful firewall like IPCop or Checkpoint Firewall NG, maintains connections "state" while performing packet inspection: tcp/udp packets are assured IP source and IP destination addresses. There is no shortcut. You must have standalone harware firewall which separates external (red interface) and internal (green interface) traffic.

Snort IDS (included) will prevent (and log) *any* port scan to your network/ router. Any attempt will be stopped. the only way it can be defeated is if someone actually logs in to your IPCop http interface.

What is SNORT? Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

http://www.snort.org/about.html

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.

http://www.ipcop.org/cgi-bin/twiki/view/IPCop/WebHome

the GUI interface is incredible (since it's free) and it will manage and monitor every packet in and out of your network. sourceforge download below:

https://sourceforge.net/projects/ipcop/

[fester]

lol - yeah the sledgehammer approach is the only way. I feel strongly that there is no grey area. maybe since i get 1200-5000 hits a day on my own IDS, work in network security, and read /see/hear truly horrifyng stories I have a bit of a strong opinion

[SHS]

Not only that but IPCop v1.3 solution is way out date and it dead ringer of SmoothWall and you should check out ClarkConnect.
But none of them work for me with my dran Speedtouch USB DSL modem.

[fester]

Quote:

Originally Posted by SHS

Not only that but IPCop v1.3 solution is way out date and it dead ringer of SmoothWall and you should check out ClarkConnect.
But none of them work for me with my dran Speedtouch USB DSL modem.

very updated SHS. ipCop is the most used, most develped opensauce fw

[SHS]

Hmm maybe I need my eye check becuase that odd when last released date was on Apr 22 2003 showing under "IPCop v1.3.0 STABLE Released" and we are in May 21 2004 that all most 13 month old so how is that most used, most develped opensauce FW when it well over one year old.

[fester]

lol! updates. 8 or 9 patches since release. it's up to date.

[BenH]

SHS , Look at http://www.ipcop.org/cgi-bin/twiki/v.../IPCopDownload

March 29 , 2004 was the latest patch.

I just had a virus attack to. Still getting updates and doing scans . This is way to fast to get a virus on a modem . Scanned 3 more and cleaned 1 msblaster.

I was runing NAV but then LILO in linux changed the MBR when I made a custom 2.4.29 kernel deb . Then XP would not boot up after I said Yes to the Motherboards Bios warning to changeing the boot drive partion when it was booting xp from lilo . I was booting Linux from XP before but I did not know how to change the kernel I was booting in linux using XP to boot linux . I think maybe it was simple and I will try again later .

Repair XP did not work . I had a few extra IE favorites not backed up on the messed up drive . I waited over night thinking and then installed XP on the empty partition on the secondary master controller . Then that XP could not see the drive . I loaded Partion Magic 7 and found it was hidden. I unhide it and then XP repair installed it from E to G . This made Norton Antivirus not run . Then I got virus checking my pc to see what needed to be fixed and how to arrange the drives. I rearranged the G back to E and NAV started updateing and scanning and found virus . What nightmare week !

It even made some virus fix sites bring up the BTV web GUI on 8129 .