Re:Hackers please help

• Previous message: Brett Paatsch: "Re: IRAQ sort of: Re: Tim May calls for nuking of D.C."
• Maybe in reply to: gts: "Hackers please help"
• Next in thread: spike66: "Re: Hackers please help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Alex Future Bokov" <alexboko@umich.edu>
X-Mailer: YaBB

If you want to gather forensic-quality evidence, before you touch the computer
any further, trun it off and don't turn it back on until you've done the
following: buy an external USB drive-casing. They sell on eBay for ~$60,
probably a few dozen bucks more at BestBuy. Get a copy of Norton Ghost. Find
a clean computer and install Norton Ghost on it. Rip the HD out of your
old computer, install it inside the USB casing, hook it up to the clean
computer. Run Norton Ghost on it and make an exact bit-image of it. Burn the
image to as many CD-R's as it takes. Now, no matter what you do to the HD, the
original evidence will always be there in case you need to consult an forensic
expert, press charges, think of a new approach to sleuthing this out, etc.

Now, here are a few things to try:

<quote> - c:\\windows\\system32\\wbem\\repository\\fs\\index.btr
- c:\\windows\\system32\\wbem\\repository\\fs\\objects.map.new
- c:\\windows\\system32\\wbem\\repository\\fs\\index.map.new -
c:\\windows\\system32\\wbem\\repository\\fs\\objects.data
</quote>

Do a text-string search on these files for your login and/or password and/or a
string whose *exact* typing you're absolutely certain of.

I know you already have Norton Antivirus or some equivalent, but run a full
scan on the compromised HD anyway. Full scan-- data, archives, every single
file, not just the execs. And tell it not to repair problems-- just scan.

Two popular trojans are BackOrifice (http://www.cultdeadcow.com/tools/bo.html)
and NetBus (hard to find ON PURPOSE, but probably out there in google-land
someplace). Download the distros, read the manuals, see if this gives you any
further insights into what to look for and where.

If you're very lucky, in the process of digging through what's left of your
drive, you may find incriminating IP addresses, email addresses, or other
clues. Good luck!

PS: the USB enclosure and Ghost are money/effort well spent-- they're a VERY
effective combo for data backups and troubleshooting. No matter how fuX0r3d
you manage to get your machine, from now on you'll always be able to pop the
drive into the USB enclosure and blow the last known good ghost image onto
it... and/or recover whatever it is that's on it.

----
This message was posted by Alex Future Bokov to the Extropians 2003 board on ExI BBS.
<http://www.extropy.org/bbs/index.php?board=67;action=display;threadid=54922>

• Next message: Dehede011@aol.com: "Re: IRAQ sort of: Re: Tim May calls for nuking of D.C."
• Previous message: Brett Paatsch: "Re: IRAQ sort of: Re: Tim May calls for nuking of D.C."
• Maybe in reply to: gts: "Hackers please help"
• Next in thread: spike66: "Re: Hackers please help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Feb 21 2003 - 20:14:21 MST