From: gts (gts_2000@yahoo.com)
Date: Fri Feb 21 2003 - 22:05:16 MST
Thanks for this excellent advice, Alex.
I'll try to remember to report back here after a full virus scan and
text search of the suspect files.
-gts
From: "Alex Future Bokov" <alexboko@umich.edu>
X-Mailer: YaBB
If you want to gather forensic-quality evidence, before you touch the
computer
any further, trun it off and don't turn it back on until you've done the
following: buy an external USB drive-casing. They sell on eBay for ~$60,
probably a few dozen bucks more at BestBuy. Get a copy of Norton Ghost.
Find
a clean computer and install Norton Ghost on it. Rip the HD out of your
old computer, install it inside the USB casing, hook it up to the clean
computer. Run Norton Ghost on it and make an exact bit-image of it. Burn
the
image to as many CD-R's as it takes. Now, no matter what you do to the
HD, the
original evidence will always be there in case you need to consult an
forensic
expert, press charges, think of a new approach to sleuthing this out,
etc.
Now, here are a few things to try:
<quote>
- c:\\windows\\system32\\wbem\\repository\\fs\\index.btr
- c:\\windows\\system32\\wbem\\repository\\fs\\objects.map.new
- c:\\windows\\system32\\wbem\\repository\\fs\\index.map.new
- c:\\windows\\system32\\wbem\\repository\\fs\\objects.data
</quote>
Do a text-string search on these files for your login and/or password
and/or a
string whose *exact* typing you're absolutely certain of.
I know you already have Norton Antivirus or some equivalent, but run a
full
scan on the compromised HD anyway. Full scan-- data, archives, every
single
file, not just the execs. And tell it not to repair problems-- just
scan.
Two popular trojans are BackOrifice
(http://www.cultdeadcow.com/tools/bo.html)
and NetBus (hard to find ON PURPOSE, but probably out there in
google-land
someplace). Download the distros, read the manuals, see if this gives
you any
further insights into what to look for and where.
If you're very lucky, in the process of digging through what's left of
your
drive, you may find incriminating IP addresses, email addresses, or
other
clues. Good luck!
PS: the USB enclosure and Ghost are money/effort well spent-- they're a
VERY
effective combo for data backups and troubleshooting. No matter how
fuX0r3d
you manage to get your machine, from now on you'll always be able to pop
the
drive into the USB enclosure and blow the last known good ghost image
onto
it... and/or recover whatever it is that's on it.
---- This message was posted by Alex Future Bokov to the Extropians 2003 board on ExI BBS. <http://www.extropy.org/bbs/index.php?board=67;action=display;threadid=5 4922>
This archive was generated by hypermail 2.1.5 : Fri Feb 21 2003 - 22:07:42 MST