RE: Hackers please help

From: gts (gts_2000@yahoo.com)
Date: Fri Feb 21 2003 - 22:05:16 MST

  • Next message: Brett Paatsch: "Re: Criminal standards of proof in France?"

    Thanks for this excellent advice, Alex.

    I'll try to remember to report back here after a full virus scan and
    text search of the suspect files.

    -gts

    From: "Alex Future Bokov" <alexboko@umich.edu>
    X-Mailer: YaBB

    If you want to gather forensic-quality evidence, before you touch the
    computer
    any further, trun it off and don't turn it back on until you've done the
    following: buy an external USB drive-casing. They sell on eBay for ~$60,
    probably a few dozen bucks more at BestBuy. Get a copy of Norton Ghost.
    Find
    a clean computer and install Norton Ghost on it. Rip the HD out of your
    old computer, install it inside the USB casing, hook it up to the clean
    computer. Run Norton Ghost on it and make an exact bit-image of it. Burn
    the
    image to as many CD-R's as it takes. Now, no matter what you do to the
    HD, the
    original evidence will always be there in case you need to consult an
    forensic
    expert, press charges, think of a new approach to sleuthing this out,
    etc.

    Now, here are a few things to try:

    <quote>

    - c:\\windows\\system32\\wbem\\repository\\fs\\index.btr
    - c:\\windows\\system32\\wbem\\repository\\fs\\objects.map.new

    - c:\\windows\\system32\\wbem\\repository\\fs\\index.map.new
    - c:\\windows\\system32\\wbem\\repository\\fs\\objects.data

    </quote>

    Do a text-string search on these files for your login and/or password
    and/or a
    string whose *exact* typing you're absolutely certain of.

    I know you already have Norton Antivirus or some equivalent, but run a
    full
    scan on the compromised HD anyway. Full scan-- data, archives, every
    single
    file, not just the execs. And tell it not to repair problems-- just
    scan.

    Two popular trojans are BackOrifice
    (http://www.cultdeadcow.com/tools/bo.html)
    and NetBus (hard to find ON PURPOSE, but probably out there in
    google-land
    someplace). Download the distros, read the manuals, see if this gives
    you any
    further insights into what to look for and where.

    If you're very lucky, in the process of digging through what's left of
    your
    drive, you may find incriminating IP addresses, email addresses, or
    other
    clues. Good luck!

    PS: the USB enclosure and Ghost are money/effort well spent-- they're a
    VERY
    effective combo for data backups and troubleshooting. No matter how
    fuX0r3d
    you manage to get your machine, from now on you'll always be able to pop
    the
    drive into the USB enclosure and blow the last known good ghost image
    onto
    it... and/or recover whatever it is that's on it.

    ----
    This message was posted by Alex Future Bokov to the Extropians 2003
    board on ExI BBS.
    <http://www.extropy.org/bbs/index.php?board=67;action=display;threadid=5
    4922>
    


    This archive was generated by hypermail 2.1.5 : Fri Feb 21 2003 - 22:07:42 MST