Guest sweathog Posted March 17, 2008 Share Posted March 17, 2008 4 firwalls/antivirus products in one month. I've come the the conclusion that there is no security on the internet beyond unplugging your machines permanently. I reformated 3 computors 5 times, reinstalled the windows xp sp2 and updated, and even went so far as to change the mac addresses on the network cards. Within days windows system security settings,and product firewalls would change and it would be downhill from there,not counting the money spent. In conclusion I've had to cancel my personal isp and email account,what was happening was that I would get these trial versions of security software both downloaded and cds, like them, buy them using https and then they would send me email confirmation and a link to download the full versions. Someone had cracked my email and was sending me to spoofed websites. It didn't matter how often I would reformat and reinstal the os after I found this out and NOT use the email. My question is how is this possible that this hacker could still track me? Quote Link to comment Share on other sites More sharing options...
Guest PA Bear [MS MVP] Posted March 17, 2008 Share Posted March 17, 2008 So How Did I Get Infected Anyway? http://www.wilderssecurity.com/showthread.php?t=27971 -- ~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ sweathog wrote:<span style="color:blue"> > 4 firwalls/antivirus products in one month. I've come the the conclusion > that there is no security on the internet beyond unplugging your machines > permanently. I reformated 3 computors 5 times, reinstalled the windows > xp > sp2 and updated, and even went so far as to change the mac addresses on > the > network cards. Within days windows system security settings,and product > firewalls would change and it would be downhill from there,not counting > the > money spent. > > In conclusion I've had to cancel my personal isp and email account,what > was > happening was that I would get these trial versions of security software > both downloaded and cds, like them, buy them using https and then they > would send me email confirmation and a link to download the full versions. > > Someone had cracked my email and was sending me to spoofed websites. It > didn't matter how often I would reformat and reinstal the os after I found > this out and NOT use the email. > > My question is how is this possible that this hacker could still track me? </span> Quote Link to comment Share on other sites More sharing options...
Guest sweathog Posted March 18, 2008 Share Posted March 18, 2008 It is really as I said, there is no security. If this is all microsoft has as an answer. Watch your active x when downloading free programs.... big deal ! How about wuacle.exe which is the windows update program being modified right from a clean format and install,after your done with the instalation cd. You need the active x to run that and you certainly need the updates. How about including the 92 security patches in new os instalation cds so you don't have to go on-line to get them as a solution instead. I'd buy a mac if I was certain that it couldn't also be dns cache poisoning. To hell with it don't bother replying. sweathog "PA Bear [MS MVP]" wrote: <span style="color:blue"> > So How Did I Get Infected Anyway? > http://www.wilderssecurity.com/showthread.php?t=27971 > -- > ~Robear Dyer (PA Bear) > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 > AumHa VSOP & Admin http://aumha.net > DTS-L http://dts-l.net/ > > sweathog wrote:<span style="color:green"> > > 4 firwalls/antivirus products in one month. I've come the the conclusion > > that there is no security on the internet beyond unplugging your machines > > permanently. I reformated 3 computors 5 times, reinstalled the windows > > xp > > sp2 and updated, and even went so far as to change the mac addresses on > > the > > network cards. Within days windows system security settings,and product > > firewalls would change and it would be downhill from there,not counting > > the > > money spent. > > > > In conclusion I've had to cancel my personal isp and email account,what > > was > > happening was that I would get these trial versions of security software > > both downloaded and cds, like them, buy them using https and then they > > would send me email confirmation and a link to download the full versions. > > > > Someone had cracked my email and was sending me to spoofed websites. It > > didn't matter how often I would reformat and reinstal the os after I found > > this out and NOT use the email. > > > > My question is how is this possible that this hacker could still track me? </span> > > </span> Quote Link to comment Share on other sites More sharing options...
Guest Shenan Stanley Posted March 18, 2008 Share Posted March 18, 2008 sweathog wrote:<span style="color:blue"> > 4 firwalls/antivirus products in one month. I've come the the > conclusion that there is no security on the internet beyond > unplugging your machines permanently. I reformated 3 computors 5 > times, reinstalled the windows xp sp2 and updated, and even went so > far as to change the mac addresses on the network cards. Within > days windows system security settings,and product firewalls would > change and it would be downhill from there,not counting the money > spent. > > In conclusion I've had to cancel my personal isp and email > account,what was happening was that I would get these trial > versions of security software both downloaded and cds, like them, > buy them using https and then they would send me email confirmation > and a link to download the full versions. > > Someone had cracked my email and was sending me to spoofed > websites. It didn't matter how often I would reformat and reinstal > the os after I found this out and NOT use the email. > > My question is how is this possible that this hacker could still > track me?</span> PA Bear [MS MVP] wrote:<span style="color:blue"> > So How Did I Get Infected Anyway? > http://www.wilderssecurity.com/showthread.php?t=27971</span> sweathog wrote:<span style="color:blue"> > It is really as I said, there is no security. If this is all > microsoft has as an answer. Watch your active x when downloading > free programs.... big deal ! How about wuacle.exe which is the > windows update program being modified right from a clean format and > install,after your done with the instalation cd. You need the > active x to run that and you certainly need the updates.</span> You can be hacked in any number of ways - however - given your first post - either you are being targeted by someone specifically for some vindictive reason and your skill-set is not enough to match wits with their tools or just the latter. ;-P <span style="color:blue"> > How about including the 92 security patches in new os instalation > cds so you don't have to go on-line to get them as a solution > instead.</span> Can be done by you, someone with the ability to follow directions and a CD burner or in some cases - many more patches are already included in some versions of the CD you can buy. <span style="color:blue"> > I'd buy a mac if I was certain that it couldn't also be dns cache > poisoning.</span> Go ahead - You'll probably run Windows on it as well - most current mac users do. ;-) <span style="color:blue"> > To hell with it don't bother replying.</span> Why not? You are - as I said - either being targetted and/or don't have the skills necessary to prevent being hacked. You either are missing something more obvious each time you supposedly 'start fresh' or whom ever is targeting you has inside information that allows them to take over. With a decent and properly configured NAT router, the Windows Firewall, a good and properly obtained and updated AntiVirus and no 'questionable' applications installed (trusted apps only, original installation media, etc.) - what you say is happening to you would not happen without a slip up on your part or someone who has inside access already. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html Quote Link to comment Share on other sites More sharing options...
Guest BoaterDave Posted March 18, 2008 Share Posted March 18, 2008 Will Windows XP SP3, when available, help in this regard? Will SP3 be available on a CD .......... anyone know? TIA. BD __ "Shenan Stanley" <newshelper@gmail.com> wrote in message news:u26jGJUiIHA.2540@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > > With a decent and properly configured NAT router, the Windows Firewall, a > good and properly obtained and updated AntiVirus and no 'questionable' > applications installed (trusted apps only, original installation media, > etc.) - what you say is happening to you would not happen without a slip > up on your part or someone who has inside access already. > > -- > Shenan Stanley > MS-MVP > -- > How To Ask Questions The Smart Way > http://www.catb.org/~esr/faqs/smart-questions.html > > </span> Quote Link to comment Share on other sites More sharing options...
Guest sweathog Posted March 18, 2008 Share Posted March 18, 2008 I'm sorry I'm way beyond frustrated. I have no difficulty in admitting the opposition is much better than I in witts and skill. This isn't my trade. Okay to continue... the only way I could get all the 92 windows update patches was with a fixed ip address at work and behind their firewall.After that...Use of any dynamic ip address,with mac address changed, just wouldn't remain secure. And further formattes and reinstals I'd just get failures to install certain patches,that is with Norton 360 cd loaded as well as Kasperskys 2008 loaded and installed at different times. Trend micro, and pctools I had downloaded. (and yes I also have a dlink 604 router) i don't download any crap. period we're talking one authentic windows xp and its updates and one firewall/antivirusand its updates NO FURTHER SURFING ATALL , Shenan Stanley" wrote: <span style="color:blue"> > sweathog wrote:<span style="color:green"> > > 4 firwalls/antivirus products in one month. I've come the the > > conclusion that there is no security on the internet beyond > > unplugging your machines permanently. I reformated 3 computors 5 > > times, reinstalled the windows xp sp2 and updated, and even went so > > far as to change the mac addresses on the network cards. Within > > days windows system security settings,and product firewalls would > > change and it would be downhill from there,not counting the money > > spent. > > > > In conclusion I've had to cancel my personal isp and email > > account,what was happening was that I would get these trial > > versions of security software both downloaded and cds, like them, > > buy them using https and then they would send me email confirmation > > and a link to download the full versions. > > > > Someone had cracked my email and was sending me to spoofed > > websites. It didn't matter how often I would reformat and reinstal > > the os after I found this out and NOT use the email. > > > > My question is how is this possible that this hacker could still > > track me?</span> > > PA Bear [MS MVP] wrote:<span style="color:green"> > > So How Did I Get Infected Anyway? > > http://www.wilderssecurity.com/showthread.php?t=27971</span> > > sweathog wrote:<span style="color:green"> > > It is really as I said, there is no security. If this is all > > microsoft has as an answer. Watch your active x when downloading > > free programs.... big deal ! How about wuacle.exe which is the > > windows update program being modified right from a clean format and > > install,after your done with the instalation cd. You need the > > active x to run that and you certainly need the updates.</span> > > You can be hacked in any number of ways - however - given your first post - > either you are being targeted by someone specifically for some vindictive > reason and your skill-set is not enough to match wits with their tools or > just the latter. ;-P > <span style="color:green"> > > How about including the 92 security patches in new os instalation > > cds so you don't have to go on-line to get them as a solution > > instead.</span> > > Can be done by you, someone with the ability to follow directions and a CD > burner or in some cases - many more patches are already included in some > versions of the CD you can buy. > <span style="color:green"> > > I'd buy a mac if I was certain that it couldn't also be dns cache > > poisoning.</span> > > Go ahead - You'll probably run Windows on it as well - most current mac > users do. ;-) > <span style="color:green"> > > To hell with it don't bother replying.</span> > > Why not? > > You are - as I said - either being targetted and/or don't have the skills > necessary to prevent being hacked. You either are missing something more > obvious each time you supposedly 'start fresh' or whom ever is targeting you > has inside information that allows them to take over. > > With a decent and properly configured NAT router, the Windows Firewall, a > good and properly obtained and updated AntiVirus and no 'questionable' > applications installed (trusted apps only, original installation media, > etc.) - what you say is happening to you would not happen without a slip up > on your part or someone who has inside access already. > > -- > Shenan Stanley > MS-MVP > -- > How To Ask Questions The Smart Way > http://www.catb.org/~esr/faqs/smart-questions.html > > > </span> Quote Link to comment Share on other sites More sharing options...
Guest Kerry Brown Posted March 19, 2008 Share Posted March 19, 2008 It sounds like your router may have been compromised. Unplug one of your computers from the router. Do a clean install of Windows on this computer making sure you delete all partitions then recreate them during the install. Leave this computer unplugged from the router. Don't worry about updating it just yet. On a different computer download the latest firmware for your router. Burn this file to a CD or copy it to a flash drive. Make sure there are no other files on the CD or flash drive. Unplug all of the computers from the router. Unplug the router from the Internet. Reset the router to the factory defaults. Plug in the computer with the fresh Windows install. Use it to flash the router with the downloaded firmware. Reset the router again. Set a password for the admin account. Plug the router back in to the Internet and update this computer. Do not plug in any of the other computers until they have been wiped clean and a fresh install of Windows done. The key is to flash the router with a clean computer then set a password on the router before reconnecting to the Internet. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ "sweathog" <sweathog@discussions.microsoft.com> wrote in message news:046E1C80-CFEB-48C4-A37B-F10C639BA204@microsoft.com...<span style="color:blue"> > I'm sorry I'm way beyond frustrated. I have no difficulty in admitting > the > opposition is much better than I in witts and skill. This isn't my trade. > Okay to continue... the only way I could get all the 92 windows update > patches was with a fixed ip address at work and behind their > firewall.After > that...Use of any dynamic ip address,with mac address changed, just > wouldn't > remain secure. And further formattes and reinstals I'd just get failures > to > install certain patches,that is with Norton 360 cd loaded as well as > Kasperskys 2008 loaded and installed at different times. Trend micro, and > pctools I had downloaded. (and yes I also have a dlink 604 router) > > i don't download any crap. period we're talking one authentic windows xp > and its updates > and one firewall/antivirusand its updates NO FURTHER SURFING ATALL > , > > > > > Shenan Stanley" wrote: ><span style="color:green"> >> sweathog wrote:<span style="color:darkred"> >> > 4 firwalls/antivirus products in one month. I've come the the >> > conclusion that there is no security on the internet beyond >> > unplugging your machines permanently. I reformated 3 computors 5 >> > times, reinstalled the windows xp sp2 and updated, and even went so >> > far as to change the mac addresses on the network cards. Within >> > days windows system security settings,and product firewalls would >> > change and it would be downhill from there,not counting the money >> > spent. >> > >> > In conclusion I've had to cancel my personal isp and email >> > account,what was happening was that I would get these trial >> > versions of security software both downloaded and cds, like them, >> > buy them using https and then they would send me email confirmation >> > and a link to download the full versions. >> > >> > Someone had cracked my email and was sending me to spoofed >> > websites. It didn't matter how often I would reformat and reinstal >> > the os after I found this out and NOT use the email. >> > >> > My question is how is this possible that this hacker could still >> > track me?</span> >> >> PA Bear [MS MVP] wrote:<span style="color:darkred"> >> > So How Did I Get Infected Anyway? >> > http://www.wilderssecurity.com/showthread.php?t=27971</span> >> >> sweathog wrote:<span style="color:darkred"> >> > It is really as I said, there is no security. If this is all >> > microsoft has as an answer. Watch your active x when downloading >> > free programs.... big deal ! How about wuacle.exe which is the >> > windows update program being modified right from a clean format and >> > install,after your done with the instalation cd. You need the >> > active x to run that and you certainly need the updates.</span> >> >> You can be hacked in any number of ways - however - given your first >> post - >> either you are being targeted by someone specifically for some vindictive >> reason and your skill-set is not enough to match wits with their tools or >> just the latter. ;-P >><span style="color:darkred"> >> > How about including the 92 security patches in new os instalation >> > cds so you don't have to go on-line to get them as a solution >> > instead.</span> >> >> Can be done by you, someone with the ability to follow directions and a >> CD >> burner or in some cases - many more patches are already included in some >> versions of the CD you can buy. >><span style="color:darkred"> >> > I'd buy a mac if I was certain that it couldn't also be dns cache >> > poisoning.</span> >> >> Go ahead - You'll probably run Windows on it as well - most current mac >> users do. ;-) >><span style="color:darkred"> >> > To hell with it don't bother replying.</span> >> >> Why not? >> >> You are - as I said - either being targetted and/or don't have the skills >> necessary to prevent being hacked. You either are missing something more >> obvious each time you supposedly 'start fresh' or whom ever is targeting >> you >> has inside information that allows them to take over. >> >> With a decent and properly configured NAT router, the Windows Firewall, a >> good and properly obtained and updated AntiVirus and no 'questionable' >> applications installed (trusted apps only, original installation media, >> etc.) - what you say is happening to you would not happen without a slip >> up >> on your part or someone who has inside access already. >> >> -- >> Shenan Stanley >> MS-MVP >> -- >> How To Ask Questions The Smart Way >> http://www.catb.org/~esr/faqs/smart-questions.html >> >> >> </span></span> Quote Link to comment Share on other sites More sharing options...
Guest Kerry Brown Posted March 19, 2008 Share Posted March 19, 2008 I forgot to add - Turn off uPNP on the router after you flash it, reset it, and add an admin password. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message news:362DBFF1-1199-47A0-81E0-1E4446F91F81@microsoft.com...<span style="color:blue"> > It sounds like your router may have been compromised. > > Unplug one of your computers from the router. Do a clean install of > Windows on this computer making sure you delete all partitions then > recreate them during the install. Leave this computer unplugged from the > router. Don't worry about updating it just yet. On a different computer > download the latest firmware for your router. Burn this file to a CD or > copy it to a flash drive. Make sure there are no other files on the CD or > flash drive. Unplug all of the computers from the router. Unplug the > router from the Internet. Reset the router to the factory defaults. Plug > in the computer with the fresh Windows install. Use it to flash the router > with the downloaded firmware. Reset the router again. Set a password for > the admin account. Plug the router back in to the Internet and update this > computer. Do not plug in any of the other computers until they have been > wiped clean and a fresh install of Windows done. > > The key is to flash the router with a clean computer then set a password > on the router before reconnecting to the Internet. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > > "sweathog" <sweathog@discussions.microsoft.com> wrote in message > news:046E1C80-CFEB-48C4-A37B-F10C639BA204@microsoft.com...<span style="color:green"> >> I'm sorry I'm way beyond frustrated. I have no difficulty in admitting >> the >> opposition is much better than I in witts and skill. This isn't my trade. >> Okay to continue... the only way I could get all the 92 windows update >> patches was with a fixed ip address at work and behind their >> firewall.After >> that...Use of any dynamic ip address,with mac address changed, just >> wouldn't >> remain secure. And further formattes and reinstals I'd just get failures >> to >> install certain patches,that is with Norton 360 cd loaded as well as >> Kasperskys 2008 loaded and installed at different times. Trend micro, and >> pctools I had downloaded. (and yes I also have a dlink 604 router) >> >> i don't download any crap. period we're talking one authentic windows xp >> and its updates >> and one firewall/antivirusand its updates NO FURTHER SURFING ATALL >> , >> >> >> >> >> Shenan Stanley" wrote: >><span style="color:darkred"> >>> sweathog wrote: >>> > 4 firwalls/antivirus products in one month. I've come the the >>> > conclusion that there is no security on the internet beyond >>> > unplugging your machines permanently. I reformated 3 computors 5 >>> > times, reinstalled the windows xp sp2 and updated, and even went so >>> > far as to change the mac addresses on the network cards. Within >>> > days windows system security settings,and product firewalls would >>> > change and it would be downhill from there,not counting the money >>> > spent. >>> > >>> > In conclusion I've had to cancel my personal isp and email >>> > account,what was happening was that I would get these trial >>> > versions of security software both downloaded and cds, like them, >>> > buy them using https and then they would send me email confirmation >>> > and a link to download the full versions. >>> > >>> > Someone had cracked my email and was sending me to spoofed >>> > websites. It didn't matter how often I would reformat and reinstal >>> > the os after I found this out and NOT use the email. >>> > >>> > My question is how is this possible that this hacker could still >>> > track me? >>> >>> PA Bear [MS MVP] wrote: >>> > So How Did I Get Infected Anyway? >>> > http://www.wilderssecurity.com/showthread.php?t=27971 >>> >>> sweathog wrote: >>> > It is really as I said, there is no security. If this is all >>> > microsoft has as an answer. Watch your active x when downloading >>> > free programs.... big deal ! How about wuacle.exe which is the >>> > windows update program being modified right from a clean format and >>> > install,after your done with the instalation cd. You need the >>> > active x to run that and you certainly need the updates. >>> >>> You can be hacked in any number of ways - however - given your first >>> post - >>> either you are being targeted by someone specifically for some >>> vindictive >>> reason and your skill-set is not enough to match wits with their tools >>> or >>> just the latter. ;-P >>> >>> > How about including the 92 security patches in new os instalation >>> > cds so you don't have to go on-line to get them as a solution >>> > instead. >>> >>> Can be done by you, someone with the ability to follow directions and a >>> CD >>> burner or in some cases - many more patches are already included in some >>> versions of the CD you can buy. >>> >>> > I'd buy a mac if I was certain that it couldn't also be dns cache >>> > poisoning. >>> >>> Go ahead - You'll probably run Windows on it as well - most current mac >>> users do. ;-) >>> >>> > To hell with it don't bother replying. >>> >>> Why not? >>> >>> You are - as I said - either being targetted and/or don't have the >>> skills >>> necessary to prevent being hacked. You either are missing something >>> more >>> obvious each time you supposedly 'start fresh' or whom ever is targeting >>> you >>> has inside information that allows them to take over. >>> >>> With a decent and properly configured NAT router, the Windows Firewall, >>> a >>> good and properly obtained and updated AntiVirus and no 'questionable' >>> applications installed (trusted apps only, original installation media, >>> etc.) - what you say is happening to you would not happen without a slip >>> up >>> on your part or someone who has inside access already. >>> >>> -- >>> Shenan Stanley >>> MS-MVP >>> -- >>> How To Ask Questions The Smart Way >>> http://www.catb.org/~esr/faqs/smart-questions.html >>> >>> >>></span></span> > </span> Quote Link to comment Share on other sites More sharing options...
Guest BoaterDave Posted March 19, 2008 Share Posted March 19, 2008 Hello Kerry Brown style_emoticons/ I feel there is much merit in what you say. FYI I did raise this topic here http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= before I became persona non grata at AumHa. Are you aware of any way to check whether or not a router has been compromised - before one follows the procedure you have outlined. I should be interested to learn more about this subject. Do you (or anyone else reading here) have any pointers as to where to begin? I found this item which I found interesting - others may too:- http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 A fairly recent news item here, too: http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html -- Dave "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message news:3DC4DC0A-9FCB-43ED-94AD-97E1F2975E0E@microsoft.com...<span style="color:blue"> >I forgot to add - Turn off uPNP on the router after you flash it, reset it, >and add an admin password. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > > "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message > news:362DBFF1-1199-47A0-81E0-1E4446F91F81@microsoft.com...<span style="color:green"> >> It sounds like your router may have been compromised. >> >> Unplug one of your computers from the router. Do a clean install of >> Windows on this computer making sure you delete all partitions then >> recreate them during the install. Leave this computer unplugged from the >> router. Don't worry about updating it just yet. On a different computer >> download the latest firmware for your router. Burn this file to a CD or >> copy it to a flash drive. Make sure there are no other files on the CD or >> flash drive. Unplug all of the computers from the router. Unplug the >> router from the Internet. Reset the router to the factory defaults. Plug >> in the computer with the fresh Windows install. Use it to flash the >> router with the downloaded firmware. Reset the router again. Set a >> password for the admin account. Plug the router back in to the Internet >> and update this computer. Do not plug in any of the other computers until >> they have been wiped clean and a fresh install of Windows done. >> >> The key is to flash the router with a clean computer then set a password >> on the router before reconnecting to the Internet. >> >> -- >> Kerry Brown >> MS-MVP - Windows Desktop Experience: Systems Administration >> http://www.vistahelp.ca/phpBB2/ >> >> >> >> "sweathog" <sweathog@discussions.microsoft.com> wrote in message >> news:046E1C80-CFEB-48C4-A37B-F10C639BA204@microsoft.com...<span style="color:darkred"> >>> I'm sorry I'm way beyond frustrated. I have no difficulty in admitting >>> the >>> opposition is much better than I in witts and skill. This isn't my >>> trade. >>> Okay to continue... the only way I could get all the 92 windows update >>> patches was with a fixed ip address at work and behind their >>> firewall.After >>> that...Use of any dynamic ip address,with mac address changed, just >>> wouldn't >>> remain secure. And further formattes and reinstals I'd just get failures >>> to >>> install certain patches,that is with Norton 360 cd loaded as well as >>> Kasperskys 2008 loaded and installed at different times. Trend micro, >>> and >>> pctools I had downloaded. (and yes I also have a dlink 604 router) >>> >>> i don't download any crap. period we're talking one authentic windows >>> xp >>> and its updates >>> and one firewall/antivirusand its updates NO FURTHER SURFING ATALL >>> , >>> >>> >>> >>> >>> Shenan Stanley" wrote: >>> >>>> sweathog wrote: >>>> > 4 firwalls/antivirus products in one month. I've come the the >>>> > conclusion that there is no security on the internet beyond >>>> > unplugging your machines permanently. I reformated 3 computors 5 >>>> > times, reinstalled the windows xp sp2 and updated, and even went so >>>> > far as to change the mac addresses on the network cards. Within >>>> > days windows system security settings,and product firewalls would >>>> > change and it would be downhill from there,not counting the money >>>> > spent. >>>> > >>>> > In conclusion I've had to cancel my personal isp and email >>>> > account,what was happening was that I would get these trial >>>> > versions of security software both downloaded and cds, like them, >>>> > buy them using https and then they would send me email confirmation >>>> > and a link to download the full versions. >>>> > >>>> > Someone had cracked my email and was sending me to spoofed >>>> > websites. It didn't matter how often I would reformat and reinstal >>>> > the os after I found this out and NOT use the email. >>>> > >>>> > My question is how is this possible that this hacker could still >>>> > track me? >>>> >>>> PA Bear [MS MVP] wrote: >>>> > So How Did I Get Infected Anyway? >>>> > http://www.wilderssecurity.com/showthread.php?t=27971 >>>> >>>> sweathog wrote: >>>> > It is really as I said, there is no security. If this is all >>>> > microsoft has as an answer. Watch your active x when downloading >>>> > free programs.... big deal ! How about wuacle.exe which is the >>>> > windows update program being modified right from a clean format and >>>> > install,after your done with the instalation cd. You need the >>>> > active x to run that and you certainly need the updates. >>>> >>>> You can be hacked in any number of ways - however - given your first >>>> post - >>>> either you are being targeted by someone specifically for some >>>> vindictive >>>> reason and your skill-set is not enough to match wits with their tools >>>> or >>>> just the latter. ;-P >>>> >>>> > How about including the 92 security patches in new os instalation >>>> > cds so you don't have to go on-line to get them as a solution >>>> > instead. >>>> >>>> Can be done by you, someone with the ability to follow directions and a >>>> CD >>>> burner or in some cases - many more patches are already included in >>>> some >>>> versions of the CD you can buy. >>>> >>>> > I'd buy a mac if I was certain that it couldn't also be dns cache >>>> > poisoning. >>>> >>>> Go ahead - You'll probably run Windows on it as well - most current mac >>>> users do. ;-) >>>> >>>> > To hell with it don't bother replying. >>>> >>>> Why not? >>>> >>>> You are - as I said - either being targetted and/or don't have the >>>> skills >>>> necessary to prevent being hacked. You either are missing something >>>> more >>>> obvious each time you supposedly 'start fresh' or whom ever is >>>> targeting you >>>> has inside information that allows them to take over. >>>> >>>> With a decent and properly configured NAT router, the Windows Firewall, >>>> a >>>> good and properly obtained and updated AntiVirus and no 'questionable' >>>> applications installed (trusted apps only, original installation media, >>>> etc.) - what you say is happening to you would not happen without a >>>> slip up >>>> on your part or someone who has inside access already. >>>> >>>> -- >>>> Shenan Stanley >>>> MS-MVP >>>> -- >>>> How To Ask Questions The Smart Way >>>> http://www.catb.org/~esr/faqs/smart-questions.html >>>> >>>> >>>></span> >></span> > > </span> Quote Link to comment Share on other sites More sharing options...
Guest Shenan Stanley Posted March 19, 2008 Share Posted March 19, 2008 Entire Conversation: http://groups.google.com/group/microsoft.p...c31fc709607cf76 Kerry Brown wrote:<span style="color:blue"> > It sounds like your router may have been compromised. > > Unplug one of your computers from the router. Do a clean install of > Windows on this computer making sure you delete all partitions then > recreate them during the install. Leave this computer unplugged > from the router. Don't worry about updating it just yet. On a > different computer download the latest firmware for your router. > Burn this file to a CD or copy it to a flash drive. Make sure there > are no other files on the CD or flash drive. Unplug all of the > computers from the router. Unplug the router from the Internet. > Reset the router to the factory defaults. Plug in the computer with > the fresh Windows install. Use it to flash the router with the > downloaded firmware. Reset the router again. Set a password for the > admin account. Plug the router back in to the Internet and update > this computer. Do not plug in any of the other computers until they > have been wiped clean and a fresh install of Windows done. > The key is to flash the router with a clean computer then set a > password on the router before reconnecting to the Internet.</span> BoaterDave wrote:<span style="color:blue"> > I feel there is much merit in what you say. FYI I did raise this > topic here > http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= > before I became persona non grata at AumHa. > Are you aware of any way to check whether or not a router has been > compromised - before one follows the procedure you have outlined. > I should be interested to learn more about this subject. Do you (or > anyone else reading here) have any pointers as to where to begin? > > I found this item which I found interesting - others may too:- > http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 > > A fairly recent news item here, too: > http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html</span> While I know of no way to find out if a router has been compromised - if there is even one ounce of suspicion that it could have been compromised - it would be better to reset the router to defaults, set a new password (strong one) on it, leave remote management turned off, make sure wireless (if a feature of said router) is using WPA or WPA2 at least for security, etc. What makes that even better is doing that 'offline' - the router does not need a Internet connection for any of that. In this particular case (that where the original poster seems to have been targeted in some way - or overlooking some part of re-securing their entire system (not just the computer)) - the advice is spot-on in my opinion. Start from the first piece of equipment you can control and work your way through to the last - keeping them all 'offline' until you have changed the setup on all of them and secured them to the best of your ability. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html Quote Link to comment Share on other sites More sharing options...
Guest Kerry Brown Posted March 20, 2008 Share Posted March 20, 2008 "Shenan Stanley" <newshelper@gmail.com> wrote in message news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > Entire Conversation: > http://groups.google.com/group/microsoft.p...c31fc709607cf76 > > > > Kerry Brown wrote:<span style="color:green"> >> It sounds like your router may have been compromised. >> >> Unplug one of your computers from the router. Do a clean install of >> Windows on this computer making sure you delete all partitions then >> recreate them during the install. Leave this computer unplugged >> from the router. Don't worry about updating it just yet. On a >> different computer download the latest firmware for your router. >> Burn this file to a CD or copy it to a flash drive. Make sure there >> are no other files on the CD or flash drive. Unplug all of the >> computers from the router. Unplug the router from the Internet. >> Reset the router to the factory defaults. Plug in the computer with >> the fresh Windows install. Use it to flash the router with the >> downloaded firmware. Reset the router again. Set a password for the >> admin account. Plug the router back in to the Internet and update >> this computer. Do not plug in any of the other computers until they >> have been wiped clean and a fresh install of Windows done. >> The key is to flash the router with a clean computer then set a >> password on the router before reconnecting to the Internet.</span> > > BoaterDave wrote:<span style="color:green"> >> I feel there is much merit in what you say. FYI I did raise this >> topic here >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= >> before I became persona non grata at AumHa. >> Are you aware of any way to check whether or not a router has been >> compromised - before one follows the procedure you have outlined. >> I should be interested to learn more about this subject. Do you (or >> anyone else reading here) have any pointers as to where to begin? >> >> I found this item which I found interesting - others may too:- >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 >> >> A fairly recent news item here, too: >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html</span> > > While I know of no way to find out if a router has been compromised - if > there is even one ounce of suspicion that it could have been compromised - > it would be better to reset the router to defaults, set a new password > (strong one) on it, leave remote management turned off, make sure wireless > (if a feature of said router) is using WPA or WPA2 at least for security, > etc. > > What makes that even better is doing that 'offline' - the router does not > need a Internet connection for any of that. > > In this particular case (that where the original poster seems to have been > targeted in some way - or overlooking some part of re-securing their > entire system (not just the computer)) - the advice is spot-on in my > opinion. Start from the first piece of equipment you can control and work > your way through to the last - keeping them all 'offline' until you have > changed the setup on all of them and secured them to the best of your > ability. ></span> There's currently two exploits for routers I know of. They both change the DNS servers the router uses to compromised DNS servers. This means whatever url you type in isn't necessarily where you end up. They can use the compromised DNS servers to send you wherever they want. You type in www.google.com and end up at some malware site that tries every trick in the book to get more malware on your computer or more likely a site that is full of advertising where you are enticed to click on ad links while trying to get to where you wanted to go in the first place. It's a vicious circle. Every legitimate site you try to go to you're redirected to a non-legitimate site. They can even let you get to legitimate online AV sites to scan the computer. Because the router is compromised, not the computer, all the AV scans come up negative. The original trojan that compromised the router has long since erased itself. One exploit is a trojan that probes common IP addresses for a router. If it finds one it takes advantage of the fact that most people never set a password on the router and reprograms the DNS settings. The trojan tries a few common passwords as well as no password. Setting a strong password on the router admin account stops this exploit. The other exploit uses a flaw in some older versions of Flash to change the router's DNS settings via uPNP. All they have to do is trick you into watching an infected Flash video. You go to what looks like a normal website with some streaming video. While watching the video your router is reprogrammed. Keeping Flash up to date and/or turning off uPNP on the router stops this exploit. Doing a hard reset of the router is probably enough to fix a changed DNS setting. I have seen a couple of cases on networks that had highly compromised computers where someone or something had tried to flash the router unsuccessfully and the router was toast. This tells me there may be an exploit that tries to flash a router. That's why I recommended flashing the router. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ Quote Link to comment Share on other sites More sharing options...
Guest BoaterDave Posted March 20, 2008 Share Posted March 20, 2008 Thank you both Shenan and Kerry. Here's an item which supports all that you have said:- http://www.theregister.co.uk/2008/01/23/ph...ck_in_the_wild/ Just like the OP, I think I have visited this situation personally in the past (whilst deliberately 'looking for trouble'). I'll continue to study! style_emoticons/ -- BD Quote Link to comment Share on other sites More sharing options...
Guest sweathog Posted March 20, 2008 Share Posted March 20, 2008 Thanks for the help all you guys...but flashing the router was one of the first things I tried,and you are correct the router is now toast,somehow the mac address of it went to 00 00 00 00 00 00 and it won't let me back in...although it still passes traffic. Afew other symptoms, when I first noticed the problem usb mouse would freeze, (nothing wrong with the mouse) quickly switching usb ports would reactivate it. Thought it was a hardware problem because the connection to the motherboard was a bit sloppy... problem went away for a month. Problem returned after that but this time usb connection was solid. When I tried to pay for pctools product using https the web page would appear back as transaction incomplete, credit card showed 4 copies of the product. Anyways I"ve had to change credit card, cancel isp and email and I've had enough...thanks for your time and interest. I live in an isolated community way in the bush, people come to me to fix their computors. No one complained yet and the machines were clean, but yesterday I had to go to a big city some 400 miles away, while doing some business ,there was 4 or 5 customers with me waiting in line to be served. Got to talking computors, 3 of them said that they were doing the same as me. unplugging the machines. One young fellow said "So what ?" " don't bother with firewalls, viruses, etc., etc., Just reformat once a month who cares what is on the machine." "Kerry Brown" wrote: <span style="color:blue"> > "Shenan Stanley" <newshelper@gmail.com> wrote in message > news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...<span style="color:green"> > > Entire Conversation: > > http://groups.google.com/group/microsoft.p...c31fc709607cf76 > > > > > > > > Kerry Brown wrote:<span style="color:darkred"> > >> It sounds like your router may have been compromised. > >> > >> Unplug one of your computers from the router. Do a clean install of > >> Windows on this computer making sure you delete all partitions then > >> recreate them during the install. Leave this computer unplugged > >> from the router. Don't worry about updating it just yet. On a > >> different computer download the latest firmware for your router. > >> Burn this file to a CD or copy it to a flash drive. Make sure there > >> are no other files on the CD or flash drive. Unplug all of the > >> computers from the router. Unplug the router from the Internet. > >> Reset the router to the factory defaults. Plug in the computer with > >> the fresh Windows install. Use it to flash the router with the > >> downloaded firmware. Reset the router again. Set a password for the > >> admin account. Plug the router back in to the Internet and update > >> this computer. Do not plug in any of the other computers until they > >> have been wiped clean and a fresh install of Windows done. > >> The key is to flash the router with a clean computer then set a > >> password on the router before reconnecting to the Internet.</span> > > > > BoaterDave wrote:<span style="color:darkred"> > >> I feel there is much merit in what you say. FYI I did raise this > >> topic here > >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= > >> before I became persona non grata at AumHa. > >> Are you aware of any way to check whether or not a router has been > >> compromised - before one follows the procedure you have outlined. > >> I should be interested to learn more about this subject. Do you (or > >> anyone else reading here) have any pointers as to where to begin? > >> > >> I found this item which I found interesting - others may too:- > >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 > >> > >> A fairly recent news item here, too: > >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html</span> > > > > While I know of no way to find out if a router has been compromised - if > > there is even one ounce of suspicion that it could have been compromised - > > it would be better to reset the router to defaults, set a new password > > (strong one) on it, leave remote management turned off, make sure wireless > > (if a feature of said router) is using WPA or WPA2 at least for security, > > etc. > > > > What makes that even better is doing that 'offline' - the router does not > > need a Internet connection for any of that. > > > > In this particular case (that where the original poster seems to have been > > targeted in some way - or overlooking some part of re-securing their > > entire system (not just the computer)) - the advice is spot-on in my > > opinion. Start from the first piece of equipment you can control and work > > your way through to the last - keeping them all 'offline' until you have > > changed the setup on all of them and secured them to the best of your > > ability. > ></span> > > > There's currently two exploits for routers I know of. They both change the > DNS servers the router uses to compromised DNS servers. This means whatever > url you type in isn't necessarily where you end up. They can use the > compromised DNS servers to send you wherever they want. You type in > www.google.com and end up at some malware site that tries every trick in the > book to get more malware on your computer or more likely a site that is full > of advertising where you are enticed to click on ad links while trying to > get to where you wanted to go in the first place. It's a vicious circle. > Every legitimate site you try to go to you're redirected to a non-legitimate > site. They can even let you get to legitimate online AV sites to scan the > computer. Because the router is compromised, not the computer, all the AV > scans come up negative. The original trojan that compromised the router has > long since erased itself. > > One exploit is a trojan that probes common IP addresses for a router. If it > finds one it takes advantage of the fact that most people never set a > password on the router and reprograms the DNS settings. The trojan tries a > few common passwords as well as no password. Setting a strong password on > the router admin account stops this exploit. > > The other exploit uses a flaw in some older versions of Flash to change the > router's DNS settings via uPNP. All they have to do is trick you into > watching an infected Flash video. You go to what looks like a normal website > with some streaming video. While watching the video your router is > reprogrammed. Keeping Flash up to date and/or turning off uPNP on the router > stops this exploit. > > Doing a hard reset of the router is probably enough to fix a changed DNS > setting. I have seen a couple of cases on networks that had highly > compromised computers where someone or something had tried to flash the > router unsuccessfully and the router was toast. This tells me there may be > an exploit that tries to flash a router. That's why I recommended flashing > the router. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > </span> Quote Link to comment Share on other sites More sharing options...
Guest Kerry Brown Posted March 20, 2008 Share Posted March 20, 2008 Reformatting once a month is a bit drastic. Keeping all your programs up to date including an AV, and using common sense when surfing is sufficient for most people. Router exploits are thankfully quite rare and easily protected against so far. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ "sweathog" <sweathog@discussions.microsoft.com> wrote in message news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...<span style="color:blue"> > Thanks for the help all you guys...but flashing the router was one of the > first things I tried,and you are correct the router is now toast,somehow > the > mac address of it went to 00 00 00 00 00 00 and it won't let me back > in...although it still passes traffic. > > Afew other symptoms, when I first noticed the problem usb mouse would > freeze, (nothing wrong with the mouse) quickly switching usb ports would > reactivate it. Thought it was a hardware problem because the connection to > the motherboard was a bit sloppy... problem went away for a month. > Problem > returned after that but this time usb connection was solid. > > When I tried to pay for pctools product using https the web page would > appear back as transaction incomplete, credit card showed 4 copies of the > product. > > Anyways I"ve had to change credit card, cancel isp and email and I've had > enough...thanks for your time and interest. > > I live in an isolated community way in the bush, people come to me to fix > their computors. No one complained yet and the machines were clean, but > yesterday I had to go to a big city some 400 miles away, while doing some > business ,there was 4 or 5 customers with me waiting in line to be > served. > Got to talking computors, 3 of them said that they were doing the same as > me. > unplugging the machines. One young fellow said "So what ?" " don't bother > with firewalls, viruses, etc., etc., Just reformat once a month who cares > what is on the machine." > > "Kerry Brown" wrote: ><span style="color:green"> >> "Shenan Stanley" <newshelper@gmail.com> wrote in message >> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...<span style="color:darkred"> >> > Entire Conversation: >> > http://groups.google.com/group/microsoft.p...c31fc709607cf76 >> > >> > >> > >> > Kerry Brown wrote: >> >> It sounds like your router may have been compromised. >> >> >> >> Unplug one of your computers from the router. Do a clean install of >> >> Windows on this computer making sure you delete all partitions then >> >> recreate them during the install. Leave this computer unplugged >> >> from the router. Don't worry about updating it just yet. On a >> >> different computer download the latest firmware for your router. >> >> Burn this file to a CD or copy it to a flash drive. Make sure there >> >> are no other files on the CD or flash drive. Unplug all of the >> >> computers from the router. Unplug the router from the Internet. >> >> Reset the router to the factory defaults. Plug in the computer with >> >> the fresh Windows install. Use it to flash the router with the >> >> downloaded firmware. Reset the router again. Set a password for the >> >> admin account. Plug the router back in to the Internet and update >> >> this computer. Do not plug in any of the other computers until they >> >> have been wiped clean and a fresh install of Windows done. >> >> The key is to flash the router with a clean computer then set a >> >> password on the router before reconnecting to the Internet. >> > >> > BoaterDave wrote: >> >> I feel there is much merit in what you say. FYI I did raise this >> >> topic here >> >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= >> >> before I became persona non grata at AumHa. >> >> Are you aware of any way to check whether or not a router has been >> >> compromised - before one follows the procedure you have outlined. >> >> I should be interested to learn more about this subject. Do you (or >> >> anyone else reading here) have any pointers as to where to begin? >> >> >> >> I found this item which I found interesting - others may too:- >> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 >> >> >> >> A fairly recent news item here, too: >> >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html >> > >> > While I know of no way to find out if a router has been compromised - >> > if >> > there is even one ounce of suspicion that it could have been >> > compromised - >> > it would be better to reset the router to defaults, set a new password >> > (strong one) on it, leave remote management turned off, make sure >> > wireless >> > (if a feature of said router) is using WPA or WPA2 at least for >> > security, >> > etc. >> > >> > What makes that even better is doing that 'offline' - the router does >> > not >> > need a Internet connection for any of that. >> > >> > In this particular case (that where the original poster seems to have >> > been >> > targeted in some way - or overlooking some part of re-securing their >> > entire system (not just the computer)) - the advice is spot-on in my >> > opinion. Start from the first piece of equipment you can control and >> > work >> > your way through to the last - keeping them all 'offline' until you >> > have >> > changed the setup on all of them and secured them to the best of your >> > ability. >> ></span> >> >> >> There's currently two exploits for routers I know of. They both change >> the >> DNS servers the router uses to compromised DNS servers. This means >> whatever >> url you type in isn't necessarily where you end up. They can use the >> compromised DNS servers to send you wherever they want. You type in >> www.google.com and end up at some malware site that tries every trick in >> the >> book to get more malware on your computer or more likely a site that is >> full >> of advertising where you are enticed to click on ad links while trying to >> get to where you wanted to go in the first place. It's a vicious circle. >> Every legitimate site you try to go to you're redirected to a >> non-legitimate >> site. They can even let you get to legitimate online AV sites to scan the >> computer. Because the router is compromised, not the computer, all the AV >> scans come up negative. The original trojan that compromised the router >> has >> long since erased itself. >> >> One exploit is a trojan that probes common IP addresses for a router. If >> it >> finds one it takes advantage of the fact that most people never set a >> password on the router and reprograms the DNS settings. The trojan tries >> a >> few common passwords as well as no password. Setting a strong password on >> the router admin account stops this exploit. >> >> The other exploit uses a flaw in some older versions of Flash to change >> the >> router's DNS settings via uPNP. All they have to do is trick you into >> watching an infected Flash video. You go to what looks like a normal >> website >> with some streaming video. While watching the video your router is >> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the >> router >> stops this exploit. >> >> Doing a hard reset of the router is probably enough to fix a changed DNS >> setting. I have seen a couple of cases on networks that had highly >> compromised computers where someone or something had tried to flash the >> router unsuccessfully and the router was toast. This tells me there may >> be >> an exploit that tries to flash a router. That's why I recommended >> flashing >> the router. >> >> -- >> Kerry Brown >> MS-MVP - Windows Desktop Experience: Systems Administration >> http://www.vistahelp.ca/phpBB2/ >> >> >> </span></span> Quote Link to comment Share on other sites More sharing options...
Guest jen Posted March 20, 2008 Share Posted March 20, 2008 Have you read these reports? Hacking The Interwebs: http://www.gnucitizen.org/blog/hacking-the-interwebs/ Holes in Embedded Devices: Authentication bypass (pt 4): http://www.gnucitizen.org/blog/holes-in-em...on-bypass-pt-4/ Router Hacking Challenge: http://www.gnucitizen.org/projects/router-hacking-challenge/ -jen "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...<span style="color:blue"> > Reformatting once a month is a bit drastic. Keeping all your programs > up to date including an AV, and using common sense when surfing is > sufficient for most people. Router exploits are thankfully quite rare > and easily protected against so far. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > > "sweathog" <sweathog@discussions.microsoft.com> wrote in message > news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...<span style="color:green"> >> Thanks for the help all you guys...but flashing the router was one of >> the >> first things I tried,and you are correct the router is now >> toast,somehow the >> mac address of it went to 00 00 00 00 00 00 and it won't let me back >> in...although it still passes traffic. >> >> Afew other symptoms, when I first noticed the problem usb mouse would >> freeze, (nothing wrong with the mouse) quickly switching usb ports >> would >> reactivate it. Thought it was a hardware problem because the >> connection to >> the motherboard was a bit sloppy... problem went away for a month. >> Problem >> returned after that but this time usb connection was solid. >> >> When I tried to pay for pctools product using https the web page >> would >> appear back as transaction incomplete, credit card showed 4 copies >> of the >> product. >> >> Anyways I"ve had to change credit card, cancel isp and email and I've >> had >> enough...thanks for your time and interest. >> >> I live in an isolated community way in the bush, people come to me >> to fix >> their computors. No one complained yet and the machines were clean, >> but >> yesterday I had to go to a big city some 400 miles away, while doing >> some >> business ,there was 4 or 5 customers with me waiting in line to be >> served. >> Got to talking computors, 3 of them said that they were doing the >> same as me. >> unplugging the machines. One young fellow said "So what ?" " don't >> bother >> with firewalls, viruses, etc., etc., Just reformat once a month who >> cares >> what is on the machine." >> >> "Kerry Brown" wrote: >><span style="color:darkred"> >>> "Shenan Stanley" <newshelper@gmail.com> wrote in message >>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl... >>> > Entire Conversation: >>> > http://groups.google.com/group/microsoft.p...c31fc709607cf76 >>> > >>> > >>> > >>> > Kerry Brown wrote: >>> >> It sounds like your router may have been compromised. >>> >> >>> >> Unplug one of your computers from the router. Do a clean install >>> >> of >>> >> Windows on this computer making sure you delete all partitions >>> >> then >>> >> recreate them during the install. Leave this computer unplugged >>> >> from the router. Don't worry about updating it just yet. On a >>> >> different computer download the latest firmware for your router. >>> >> Burn this file to a CD or copy it to a flash drive. Make sure >>> >> there >>> >> are no other files on the CD or flash drive. Unplug all of the >>> >> computers from the router. Unplug the router from the Internet. >>> >> Reset the router to the factory defaults. Plug in the computer >>> >> with >>> >> the fresh Windows install. Use it to flash the router with the >>> >> downloaded firmware. Reset the router again. Set a password for >>> >> the >>> >> admin account. Plug the router back in to the Internet and update >>> >> this computer. Do not plug in any of the other computers until >>> >> they >>> >> have been wiped clean and a fresh install of Windows done. >>> >> The key is to flash the router with a clean computer then set a >>> >> password on the router before reconnecting to the Internet. >>> > >>> > BoaterDave wrote: >>> >> I feel there is much merit in what you say. FYI I did raise this >>> >> topic here >>> >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= >>> >> before I became persona non grata at AumHa. >>> >> Are you aware of any way to check whether or not a router has >>> >> been >>> >> compromised - before one follows the procedure you have >>> >> outlined. >>> >> I should be interested to learn more about this subject. Do you >>> >> (or >>> >> anyone else reading here) have any pointers as to where to begin? >>> >> >>> >> I found this item which I found interesting - others may too:- >>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 >>> >> >>> >> A fairly recent news item here, too: >>> >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html >>> > >>> > While I know of no way to find out if a router has been >>> > compromised - if >>> > there is even one ounce of suspicion that it could have been >>> > compromised - >>> > it would be better to reset the router to defaults, set a new >>> > password >>> > (strong one) on it, leave remote management turned off, make sure >>> > wireless >>> > (if a feature of said router) is using WPA or WPA2 at least for >>> > security, >>> > etc. >>> > >>> > What makes that even better is doing that 'offline' - the router >>> > does not >>> > need a Internet connection for any of that. >>> > >>> > In this particular case (that where the original poster seems to >>> > have been >>> > targeted in some way - or overlooking some part of re-securing >>> > their >>> > entire system (not just the computer)) - the advice is spot-on in >>> > my >>> > opinion. Start from the first piece of equipment you can control >>> > and work >>> > your way through to the last - keeping them all 'offline' until >>> > you have >>> > changed the setup on all of them and secured them to the best of >>> > your >>> > ability. >>> > >>> >>> >>> There's currently two exploits for routers I know of. They both >>> change the >>> DNS servers the router uses to compromised DNS servers. This means >>> whatever >>> url you type in isn't necessarily where you end up. They can use the >>> compromised DNS servers to send you wherever they want. You type in >>> www.google.com and end up at some malware site that tries every >>> trick in the >>> book to get more malware on your computer or more likely a site that >>> is full >>> of advertising where you are enticed to click on ad links while >>> trying to >>> get to where you wanted to go in the first place. It's a vicious >>> circle. >>> Every legitimate site you try to go to you're redirected to a >>> non-legitimate >>> site. They can even let you get to legitimate online AV sites to >>> scan the >>> computer. Because the router is compromised, not the computer, all >>> the AV >>> scans come up negative. The original trojan that compromised the >>> router has >>> long since erased itself. >>> >>> One exploit is a trojan that probes common IP addresses for a >>> router. If it >>> finds one it takes advantage of the fact that most people never set >>> a >>> password on the router and reprograms the DNS settings. The trojan >>> tries a >>> few common passwords as well as no password. Setting a strong >>> password on >>> the router admin account stops this exploit. >>> >>> The other exploit uses a flaw in some older versions of Flash to >>> change the >>> router's DNS settings via uPNP. All they have to do is trick you >>> into >>> watching an infected Flash video. You go to what looks like a normal >>> website >>> with some streaming video. While watching the video your router is >>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on >>> the router >>> stops this exploit. >>> >>> Doing a hard reset of the router is probably enough to fix a changed >>> DNS >>> setting. I have seen a couple of cases on networks that had highly >>> compromised computers where someone or something had tried to flash >>> the >>> router unsuccessfully and the router was toast. This tells me there >>> may be >>> an exploit that tries to flash a router. That's why I recommended >>> flashing >>> the router. >>> >>> -- >>> Kerry Brown >>> MS-MVP - Windows Desktop Experience: Systems Administration >>> http://www.vistahelp.ca/phpBB2/ >>> >>> >>></span></span> > </span> Quote Link to comment Share on other sites More sharing options...
Guest Kerry Brown Posted March 20, 2008 Share Posted March 20, 2008 I am aware of those possible exploits. Have you seen them in the wild? I haven't. They would require quite an involved program to figure what router and firmware revision was in use. AFAIK most current routers have firmware updates available to protect against some of this. The exploits are certainly possible. If they are possible I'm sure malware authors are working on exploiting them. How successful they will be remains to be seen. The only exploits I've seen in the wild are the two I mentioned in an earlier post. Both are easily stopped. In the future this may not be true. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ "jen" <jen@example.com> wrote in message news:uWE4gtriIHA.5280@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Have you read these reports? > > Hacking The Interwebs: > http://www.gnucitizen.org/blog/hacking-the-interwebs/ > Holes in Embedded Devices: Authentication bypass (pt 4): > http://www.gnucitizen.org/blog/holes-in-em...on-bypass-pt-4/ > Router Hacking Challenge: > http://www.gnucitizen.org/projects/router-hacking-challenge/ > > -jen > > "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message > news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...<span style="color:green"> >> Reformatting once a month is a bit drastic. Keeping all your programs up >> to date including an AV, and using common sense when surfing is >> sufficient for most people. Router exploits are thankfully quite rare and >> easily protected against so far. >> >> -- >> Kerry Brown >> MS-MVP - Windows Desktop Experience: Systems Administration >> http://www.vistahelp.ca/phpBB2/ >> >> >> >> "sweathog" <sweathog@discussions.microsoft.com> wrote in message >> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...<span style="color:darkred"> >>> Thanks for the help all you guys...but flashing the router was one of >>> the >>> first things I tried,and you are correct the router is now toast,somehow >>> the >>> mac address of it went to 00 00 00 00 00 00 and it won't let me back >>> in...although it still passes traffic. >>> >>> Afew other symptoms, when I first noticed the problem usb mouse would >>> freeze, (nothing wrong with the mouse) quickly switching usb ports would >>> reactivate it. Thought it was a hardware problem because the connection >>> to >>> the motherboard was a bit sloppy... problem went away for a month. >>> Problem >>> returned after that but this time usb connection was solid. >>> >>> When I tried to pay for pctools product using https the web page would >>> appear back as transaction incomplete, credit card showed 4 copies of >>> the >>> product. >>> >>> Anyways I"ve had to change credit card, cancel isp and email and I've >>> had >>> enough...thanks for your time and interest. >>> >>> I live in an isolated community way in the bush, people come to me to >>> fix >>> their computors. No one complained yet and the machines were clean, but >>> yesterday I had to go to a big city some 400 miles away, while doing >>> some >>> business ,there was 4 or 5 customers with me waiting in line to be >>> served. >>> Got to talking computors, 3 of them said that they were doing the same >>> as me. >>> unplugging the machines. One young fellow said "So what ?" " don't >>> bother >>> with firewalls, viruses, etc., etc., Just reformat once a month who >>> cares >>> what is on the machine." >>> >>> "Kerry Brown" wrote: >>> >>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message >>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl... >>>> > Entire Conversation: >>>> > http://groups.google.com/group/microsoft.p...c31fc709607cf76 >>>> > >>>> > >>>> > >>>> > Kerry Brown wrote: >>>> >> It sounds like your router may have been compromised. >>>> >> >>>> >> Unplug one of your computers from the router. Do a clean install of >>>> >> Windows on this computer making sure you delete all partitions then >>>> >> recreate them during the install. Leave this computer unplugged >>>> >> from the router. Don't worry about updating it just yet. On a >>>> >> different computer download the latest firmware for your router. >>>> >> Burn this file to a CD or copy it to a flash drive. Make sure there >>>> >> are no other files on the CD or flash drive. Unplug all of the >>>> >> computers from the router. Unplug the router from the Internet. >>>> >> Reset the router to the factory defaults. Plug in the computer with >>>> >> the fresh Windows install. Use it to flash the router with the >>>> >> downloaded firmware. Reset the router again. Set a password for the >>>> >> admin account. Plug the router back in to the Internet and update >>>> >> this computer. Do not plug in any of the other computers until they >>>> >> have been wiped clean and a fresh install of Windows done. >>>> >> The key is to flash the router with a clean computer then set a >>>> >> password on the router before reconnecting to the Internet. >>>> > >>>> > BoaterDave wrote: >>>> >> I feel there is much merit in what you say. FYI I did raise this >>>> >> topic here >>>> >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= >>>> >> before I became persona non grata at AumHa. >>>> >> Are you aware of any way to check whether or not a router has been >>>> >> compromised - before one follows the procedure you have outlined. >>>> >> I should be interested to learn more about this subject. Do you (or >>>> >> anyone else reading here) have any pointers as to where to begin? >>>> >> >>>> >> I found this item which I found interesting - others may too:- >>>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 >>>> >> >>>> >> A fairly recent news item here, too: >>>> >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html >>>> > >>>> > While I know of no way to find out if a router has been compromised - >>>> > if >>>> > there is even one ounce of suspicion that it could have been >>>> > compromised - >>>> > it would be better to reset the router to defaults, set a new >>>> > password >>>> > (strong one) on it, leave remote management turned off, make sure >>>> > wireless >>>> > (if a feature of said router) is using WPA or WPA2 at least for >>>> > security, >>>> > etc. >>>> > >>>> > What makes that even better is doing that 'offline' - the router does >>>> > not >>>> > need a Internet connection for any of that. >>>> > >>>> > In this particular case (that where the original poster seems to have >>>> > been >>>> > targeted in some way - or overlooking some part of re-securing their >>>> > entire system (not just the computer)) - the advice is spot-on in my >>>> > opinion. Start from the first piece of equipment you can control and >>>> > work >>>> > your way through to the last - keeping them all 'offline' until you >>>> > have >>>> > changed the setup on all of them and secured them to the best of your >>>> > ability. >>>> > >>>> >>>> >>>> There's currently two exploits for routers I know of. They both change >>>> the >>>> DNS servers the router uses to compromised DNS servers. This means >>>> whatever >>>> url you type in isn't necessarily where you end up. They can use the >>>> compromised DNS servers to send you wherever they want. You type in >>>> www.google.com and end up at some malware site that tries every trick >>>> in the >>>> book to get more malware on your computer or more likely a site that is >>>> full >>>> of advertising where you are enticed to click on ad links while trying >>>> to >>>> get to where you wanted to go in the first place. It's a vicious >>>> circle. >>>> Every legitimate site you try to go to you're redirected to a >>>> non-legitimate >>>> site. They can even let you get to legitimate online AV sites to scan >>>> the >>>> computer. Because the router is compromised, not the computer, all the >>>> AV >>>> scans come up negative. The original trojan that compromised the router >>>> has >>>> long since erased itself. >>>> >>>> One exploit is a trojan that probes common IP addresses for a router. >>>> If it >>>> finds one it takes advantage of the fact that most people never set a >>>> password on the router and reprograms the DNS settings. The trojan >>>> tries a >>>> few common passwords as well as no password. Setting a strong password >>>> on >>>> the router admin account stops this exploit. >>>> >>>> The other exploit uses a flaw in some older versions of Flash to change >>>> the >>>> router's DNS settings via uPNP. All they have to do is trick you into >>>> watching an infected Flash video. You go to what looks like a normal >>>> website >>>> with some streaming video. While watching the video your router is >>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the >>>> router >>>> stops this exploit. >>>> >>>> Doing a hard reset of the router is probably enough to fix a changed >>>> DNS >>>> setting. I have seen a couple of cases on networks that had highly >>>> compromised computers where someone or something had tried to flash the >>>> router unsuccessfully and the router was toast. This tells me there may >>>> be >>>> an exploit that tries to flash a router. That's why I recommended >>>> flashing >>>> the router. >>>> >>>> -- >>>> Kerry Brown >>>> MS-MVP - Windows Desktop Experience: Systems Administration >>>> http://www.vistahelp.ca/phpBB2/ >>>> >>>> >>>></span> >></span> > > </span> Quote Link to comment Share on other sites More sharing options...
Guest jen Posted March 20, 2008 Share Posted March 20, 2008 When you get time, you may be interested in these two podcasts style_emoticons/ GNUCITIZEN on PaulDotCom: The best security podcast on the Web. http://media.libsyn.com/media/pauldotcom/p...ITIZENpart1.mp3 http://media.libsyn.com/media/pauldotcom/p...ITIZENpart2.mp3 http://www.gnucitizen.org/blog/gnucitizen-on-pauldotcom/ -jen "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message news:8CEFAE8B-E1C7-41DA-96C6-59ABE7976434@microsoft.com...<span style="color:blue"> >I am aware of those possible exploits. Have you seen them in the wild? >I haven't. They would require quite an involved program to figure what >router and firmware revision was in use. AFAIK most current routers >have firmware updates available to protect against some of this. The >exploits are certainly possible. If they are possible I'm sure malware >authors are working on exploiting them. How successful they will be >remains to be seen. The only exploits I've seen in the wild are the two >I mentioned in an earlier post. Both are easily stopped. In the future >this may not be true. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > > "jen" <jen@example.com> wrote in message > news:uWE4gtriIHA.5280@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> Have you read these reports? >> >> Hacking The Interwebs: >> http://www.gnucitizen.org/blog/hacking-the-interwebs/ >> Holes in Embedded Devices: Authentication bypass (pt 4): >> http://www.gnucitizen.org/blog/holes-in-em...on-bypass-pt-4/ >> Router Hacking Challenge: >> http://www.gnucitizen.org/projects/router-hacking-challenge/ >> >> -jen >> >> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message >> news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...<span style="color:darkred"> >>> Reformatting once a month is a bit drastic. Keeping all your >>> programs up to date including an AV, and using common sense when >>> surfing is sufficient for most people. Router exploits are >>> thankfully quite rare and easily protected against so far. >>> >>> -- >>> Kerry Brown >>> MS-MVP - Windows Desktop Experience: Systems Administration >>> http://www.vistahelp.ca/phpBB2/ >>> >>> >>> >>> "sweathog" <sweathog@discussions.microsoft.com> wrote in message >>> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com... >>>> Thanks for the help all you guys...but flashing the router was one >>>> of the >>>> first things I tried,and you are correct the router is now >>>> toast,somehow the >>>> mac address of it went to 00 00 00 00 00 00 and it won't let me >>>> back >>>> in...although it still passes traffic. >>>> >>>> Afew other symptoms, when I first noticed the problem usb mouse >>>> would >>>> freeze, (nothing wrong with the mouse) quickly switching usb ports >>>> would >>>> reactivate it. Thought it was a hardware problem because the >>>> connection to >>>> the motherboard was a bit sloppy... problem went away for a month. >>>> Problem >>>> returned after that but this time usb connection was solid. >>>> >>>> When I tried to pay for pctools product using https the web page >>>> would >>>> appear back as transaction incomplete, credit card showed 4 copies >>>> of the >>>> product. >>>> >>>> Anyways I"ve had to change credit card, cancel isp and email and >>>> I've had >>>> enough...thanks for your time and interest. >>>> >>>> I live in an isolated community way in the bush, people come to me >>>> to fix >>>> their computors. No one complained yet and the machines were clean, >>>> but >>>> yesterday I had to go to a big city some 400 miles away, while >>>> doing some >>>> business ,there was 4 or 5 customers with me waiting in line to be >>>> served. >>>> Got to talking computors, 3 of them said that they were doing the >>>> same as me. >>>> unplugging the machines. One young fellow said "So what ?" " don't >>>> bother >>>> with firewalls, viruses, etc., etc., Just reformat once a month who >>>> cares >>>> what is on the machine." >>>> >>>> "Kerry Brown" wrote: >>>> >>>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message >>>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl... >>>>> > Entire Conversation: >>>>> > http://groups.google.com/group/microsoft.p...c31fc709607cf76 >>>>> > >>>>> > >>>>> > >>>>> > Kerry Brown wrote: >>>>> >> It sounds like your router may have been compromised. >>>>> >> >>>>> >> Unplug one of your computers from the router. Do a clean >>>>> >> install of >>>>> >> Windows on this computer making sure you delete all partitions >>>>> >> then >>>>> >> recreate them during the install. Leave this computer unplugged >>>>> >> from the router. Don't worry about updating it just yet. On a >>>>> >> different computer download the latest firmware for your >>>>> >> router. >>>>> >> Burn this file to a CD or copy it to a flash drive. Make sure >>>>> >> there >>>>> >> are no other files on the CD or flash drive. Unplug all of the >>>>> >> computers from the router. Unplug the router from the Internet. >>>>> >> Reset the router to the factory defaults. Plug in the computer >>>>> >> with >>>>> >> the fresh Windows install. Use it to flash the router with the >>>>> >> downloaded firmware. Reset the router again. Set a password for >>>>> >> the >>>>> >> admin account. Plug the router back in to the Internet and >>>>> >> update >>>>> >> this computer. Do not plug in any of the other computers until >>>>> >> they >>>>> >> have been wiped clean and a fresh install of Windows done. >>>>> >> The key is to flash the router with a clean computer then set a >>>>> >> password on the router before reconnecting to the Internet. >>>>> > >>>>> > BoaterDave wrote: >>>>> >> I feel there is much merit in what you say. FYI I did raise >>>>> >> this >>>>> >> topic here >>>>> >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= >>>>> >> before I became persona non grata at AumHa. >>>>> >> Are you aware of any way to check whether or not a router has >>>>> >> been >>>>> >> compromised - before one follows the procedure you have >>>>> >> outlined. >>>>> >> I should be interested to learn more about this subject. Do you >>>>> >> (or >>>>> >> anyone else reading here) have any pointers as to where to >>>>> >> begin? >>>>> >> >>>>> >> I found this item which I found interesting - others may too:- >>>>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 >>>>> >> >>>>> >> A fairly recent news item here, too: >>>>> >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html >>>>> > >>>>> > While I know of no way to find out if a router has been >>>>> > compromised - if >>>>> > there is even one ounce of suspicion that it could have been >>>>> > compromised - >>>>> > it would be better to reset the router to defaults, set a new >>>>> > password >>>>> > (strong one) on it, leave remote management turned off, make >>>>> > sure wireless >>>>> > (if a feature of said router) is using WPA or WPA2 at least for >>>>> > security, >>>>> > etc. >>>>> > >>>>> > What makes that even better is doing that 'offline' - the router >>>>> > does not >>>>> > need a Internet connection for any of that. >>>>> > >>>>> > In this particular case (that where the original poster seems to >>>>> > have been >>>>> > targeted in some way - or overlooking some part of re-securing >>>>> > their >>>>> > entire system (not just the computer)) - the advice is spot-on >>>>> > in my >>>>> > opinion. Start from the first piece of equipment you can control >>>>> > and work >>>>> > your way through to the last - keeping them all 'offline' until >>>>> > you have >>>>> > changed the setup on all of them and secured them to the best of >>>>> > your >>>>> > ability. >>>>> > >>>>> >>>>> >>>>> There's currently two exploits for routers I know of. They both >>>>> change the >>>>> DNS servers the router uses to compromised DNS servers. This means >>>>> whatever >>>>> url you type in isn't necessarily where you end up. They can use >>>>> the >>>>> compromised DNS servers to send you wherever they want. You type >>>>> in >>>>> www.google.com and end up at some malware site that tries every >>>>> trick in the >>>>> book to get more malware on your computer or more likely a site >>>>> that is full >>>>> of advertising where you are enticed to click on ad links while >>>>> trying to >>>>> get to where you wanted to go in the first place. It's a vicious >>>>> circle. >>>>> Every legitimate site you try to go to you're redirected to a >>>>> non-legitimate >>>>> site. They can even let you get to legitimate online AV sites to >>>>> scan the >>>>> computer. Because the router is compromised, not the computer, all >>>>> the AV >>>>> scans come up negative. The original trojan that compromised the >>>>> router has >>>>> long since erased itself. >>>>> >>>>> One exploit is a trojan that probes common IP addresses for a >>>>> router. If it >>>>> finds one it takes advantage of the fact that most people never >>>>> set a >>>>> password on the router and reprograms the DNS settings. The trojan >>>>> tries a >>>>> few common passwords as well as no password. Setting a strong >>>>> password on >>>>> the router admin account stops this exploit. >>>>> >>>>> The other exploit uses a flaw in some older versions of Flash to >>>>> change the >>>>> router's DNS settings via uPNP. All they have to do is trick you >>>>> into >>>>> watching an infected Flash video. You go to what looks like a >>>>> normal website >>>>> with some streaming video. While watching the video your router is >>>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on >>>>> the router >>>>> stops this exploit. >>>>> >>>>> Doing a hard reset of the router is probably enough to fix a >>>>> changed DNS >>>>> setting. I have seen a couple of cases on networks that had highly >>>>> compromised computers where someone or something had tried to >>>>> flash the >>>>> router unsuccessfully and the router was toast. This tells me >>>>> there may be >>>>> an exploit that tries to flash a router. That's why I recommended >>>>> flashing >>>>> the router. >>>>> >>>>> -- >>>>> Kerry Brown >>>>> MS-MVP - Windows Desktop Experience: Systems Administration >>>>> http://www.vistahelp.ca/phpBB2/ >>>>> >>>>> >>>>> >>></span> >> >></span> > </span> Quote Link to comment Share on other sites More sharing options...
Guest BoaterDave Posted March 22, 2008 Share Posted March 22, 2008 Do you, by any chance, have a Hewlett Packard printer? Dave "sweathog" <sweathog@discussions.microsoft.com> wrote in message news:7D3BFB82-ACC8-4E18-BF8B-55772D9EA4C4@microsoft.com...<span style="color:blue"> > It is really as I said, there is no security. If this is all microsoft has > as > an answer. Watch your active x when downloading free programs.... big deal > ! > How about wuacle.exe which is the windows update program being modified > right > from a clean format and install,after your done with the instalation cd. > You > need the active x to run that and you certainly need the updates. > > How about including the 92 security patches in new os instalation cds so > you > don't have to go on-line to get them as a solution instead. > > I'd buy a mac if I was certain that it couldn't also be dns cache > poisoning. > > To hell with it don't bother replying. > > sweathog > > "PA Bear [MS MVP]" wrote: ><span style="color:green"> >> So How Did I Get Infected Anyway? >> http://www.wilderssecurity.com/showthread.php?t=27971 >> -- >> ~Robear Dyer (PA Bear) >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 >> AumHa VSOP & Admin http://aumha.net >> DTS-L http://dts-l.net/ >> >> sweathog wrote:<span style="color:darkred"> >> > 4 firwalls/antivirus products in one month. I've come the the >> > conclusion >> > that there is no security on the internet beyond unplugging your >> > machines >> > permanently. I reformated 3 computors 5 times, reinstalled the >> > windows >> > xp >> > sp2 and updated, and even went so far as to change the mac addresses on >> > the >> > network cards. Within days windows system security settings,and product >> > firewalls would change and it would be downhill from there,not counting >> > the >> > money spent. >> > >> > In conclusion I've had to cancel my personal isp and email account,what >> > was >> > happening was that I would get these trial versions of security >> > software >> > both downloaded and cds, like them, buy them using https and then they >> > would send me email confirmation and a link to download the full >> > versions. >> > >> > Someone had cracked my email and was sending me to spoofed websites. It >> > didn't matter how often I would reformat and reinstal the os after I >> > found >> > this out and NOT use the email. >> > >> > My question is how is this possible that this hacker could still track >> > me?</span> >> >></span> > </span> Quote Link to comment Share on other sites More sharing options...
Guest BoaterDave Posted March 22, 2008 Share Posted March 22, 2008 Thank you, Jen. I listened to all. Very interesting. (and frightening, too!) BD "jen" <jen@example.com> wrote in message news:ODnOrusiIHA.6092@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > When you get time, you may be interested in these two podcasts style_emoticons/ > GNUCITIZEN on PaulDotCom: > The best security podcast on the Web. > http://media.libsyn.com/media/pauldotcom/p...ITIZENpart1.mp3 > http://media.libsyn.com/media/pauldotcom/p...ITIZENpart2.mp3 > http://www.gnucitizen.org/blog/gnucitizen-on-pauldotcom/ > > -jen > > "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message > news:8CEFAE8B-E1C7-41DA-96C6-59ABE7976434@microsoft.com...<span style="color:green"> >>I am aware of those possible exploits. Have you seen them in the wild? I >>haven't. They would require quite an involved program to figure what >>router and firmware revision was in use. AFAIK most current routers have >>firmware updates available to protect against some of this. The exploits >>are certainly possible. If they are possible I'm sure malware authors are >>working on exploiting them. How successful they will be remains to be >>seen. The only exploits I've seen in the wild are the two I mentioned in >>an earlier post. Both are easily stopped. In the future this may not be >>true. >> >> -- >> Kerry Brown >> MS-MVP - Windows Desktop Experience: Systems Administration >> http://www.vistahelp.ca/phpBB2/ >> >> >> >> "jen" <jen@example.com> wrote in message >> news:uWE4gtriIHA.5280@TK2MSFTNGP02.phx.gbl...<span style="color:darkred"> >>> Have you read these reports? >>> >>> Hacking The Interwebs: >>> http://www.gnucitizen.org/blog/hacking-the-interwebs/ >>> Holes in Embedded Devices: Authentication bypass (pt 4): >>> http://www.gnucitizen.org/blog/holes-in-em...on-bypass-pt-4/ >>> Router Hacking Challenge: >>> http://www.gnucitizen.org/projects/router-hacking-challenge/ >>> >>> -jen >>> >>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message >>> news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com... >>>> Reformatting once a month is a bit drastic. Keeping all your programs >>>> up to date including an AV, and using common sense when surfing is >>>> sufficient for most people. Router exploits are thankfully quite rare >>>> and easily protected against so far. >>>> >>>> -- >>>> Kerry Brown >>>> MS-MVP - Windows Desktop Experience: Systems Administration >>>> http://www.vistahelp.ca/phpBB2/ >>>> >>>> >>>> >>>> "sweathog" <sweathog@discussions.microsoft.com> wrote in message >>>> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com... >>>>> Thanks for the help all you guys...but flashing the router was one of >>>>> the >>>>> first things I tried,and you are correct the router is now >>>>> toast,somehow the >>>>> mac address of it went to 00 00 00 00 00 00 and it won't let me back >>>>> in...although it still passes traffic. >>>>> >>>>> Afew other symptoms, when I first noticed the problem usb mouse would >>>>> freeze, (nothing wrong with the mouse) quickly switching usb ports >>>>> would >>>>> reactivate it. Thought it was a hardware problem because the >>>>> connection to >>>>> the motherboard was a bit sloppy... problem went away for a month. >>>>> Problem >>>>> returned after that but this time usb connection was solid. >>>>> >>>>> When I tried to pay for pctools product using https the web page would >>>>> appear back as transaction incomplete, credit card showed 4 copies of >>>>> the >>>>> product. >>>>> >>>>> Anyways I"ve had to change credit card, cancel isp and email and I've >>>>> had >>>>> enough...thanks for your time and interest. >>>>> >>>>> I live in an isolated community way in the bush, people come to me to >>>>> fix >>>>> their computors. No one complained yet and the machines were clean, >>>>> but >>>>> yesterday I had to go to a big city some 400 miles away, while doing >>>>> some >>>>> business ,there was 4 or 5 customers with me waiting in line to be >>>>> served. >>>>> Got to talking computors, 3 of them said that they were doing the same >>>>> as me. >>>>> unplugging the machines. One young fellow said "So what ?" " don't >>>>> bother >>>>> with firewalls, viruses, etc., etc., Just reformat once a month who >>>>> cares >>>>> what is on the machine." >>>>> >>>>> "Kerry Brown" wrote: >>>>> >>>>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message >>>>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl... >>>>>> > Entire Conversation: >>>>>> > http://groups.google.com/group/microsoft.p...c31fc709607cf76 >>>>>> > >>>>>> > >>>>>> > >>>>>> > Kerry Brown wrote: >>>>>> >> It sounds like your router may have been compromised. >>>>>> >> >>>>>> >> Unplug one of your computers from the router. Do a clean install >>>>>> >> of >>>>>> >> Windows on this computer making sure you delete all partitions >>>>>> >> then >>>>>> >> recreate them during the install. Leave this computer unplugged >>>>>> >> from the router. Don't worry about updating it just yet. On a >>>>>> >> different computer download the latest firmware for your router. >>>>>> >> Burn this file to a CD or copy it to a flash drive. Make sure >>>>>> >> there >>>>>> >> are no other files on the CD or flash drive. Unplug all of the >>>>>> >> computers from the router. Unplug the router from the Internet. >>>>>> >> Reset the router to the factory defaults. Plug in the computer >>>>>> >> with >>>>>> >> the fresh Windows install. Use it to flash the router with the >>>>>> >> downloaded firmware. Reset the router again. Set a password for >>>>>> >> the >>>>>> >> admin account. Plug the router back in to the Internet and update >>>>>> >> this computer. Do not plug in any of the other computers until >>>>>> >> they >>>>>> >> have been wiped clean and a fresh install of Windows done. >>>>>> >> The key is to flash the router with a clean computer then set a >>>>>> >> password on the router before reconnecting to the Internet. >>>>>> > >>>>>> > BoaterDave wrote: >>>>>> >> I feel there is much merit in what you say. FYI I did raise this >>>>>> >> topic here >>>>>> >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight= >>>>>> >> before I became persona non grata at AumHa. >>>>>> >> Are you aware of any way to check whether or not a router has been >>>>>> >> compromised - before one follows the procedure you have >>>>>> >> outlined. >>>>>> >> I should be interested to learn more about this subject. Do you >>>>>> >> (or >>>>>> >> anyone else reading here) have any pointers as to where to begin? >>>>>> >> >>>>>> >> I found this item which I found interesting - others may too:- >>>>>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026 >>>>>> >> >>>>>> >> A fairly recent news item here, too: >>>>>> >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html >>>>>> > >>>>>> > While I know of no way to find out if a router has been >>>>>> > compromised - if >>>>>> > there is even one ounce of suspicion that it could have been >>>>>> > compromised - >>>>>> > it would be better to reset the router to defaults, set a new >>>>>> > password >>>>>> > (strong one) on it, leave remote management turned off, make sure >>>>>> > wireless >>>>>> > (if a feature of said router) is using WPA or WPA2 at least for >>>>>> > security, >>>>>> > etc. >>>>>> > >>>>>> > What makes that even better is doing that 'offline' - the router >>>>>> > does not >>>>>> > need a Internet connection for any of that. >>>>>> > >>>>>> > In this particular case (that where the original poster seems to >>>>>> > have been >>>>>> > targeted in some way - or overlooking some part of re-securing >>>>>> > their >>>>>> > entire system (not just the computer)) - the advice is spot-on in >>>>>> > my >>>>>> > opinion. Start from the first piece of equipment you can control >>>>>> > and work >>>>>> > your way through to the last - keeping them all 'offline' until you >>>>>> > have >>>>>> > changed the setup on all of them and secured them to the best of >>>>>> > your >>>>>> > ability. >>>>>> > >>>>>> >>>>>> >>>>>> There's currently two exploits for routers I know of. They both >>>>>> change the >>>>>> DNS servers the router uses to compromised DNS servers. This means >>>>>> whatever >>>>>> url you type in isn't necessarily where you end up. They can use the >>>>>> compromised DNS servers to send you wherever they want. You type in >>>>>> www.google.com and end up at some malware site that tries every trick >>>>>> in the >>>>>> book to get more malware on your computer or more likely a site that >>>>>> is full >>>>>> of advertising where you are enticed to click on ad links while >>>>>> trying to >>>>>> get to where you wanted to go in the first place. It's a vicious >>>>>> circle. >>>>>> Every legitimate site you try to go to you're redirected to a >>>>>> non-legitimate >>>>>> site. They can even let you get to legitimate online AV sites to scan >>>>>> the >>>>>> computer. Because the router is compromised, not the computer, all >>>>>> the AV >>>>>> scans come up negative. The original trojan that compromised the >>>>>> router has >>>>>> long since erased itself. >>>>>> >>>>>> One exploit is a trojan that probes common IP addresses for a router. >>>>>> If it >>>>>> finds one it takes advantage of the fact that most people never set a >>>>>> password on the router and reprograms the DNS settings. The trojan >>>>>> tries a >>>>>> few common passwords as well as no password. Setting a strong >>>>>> password on >>>>>> the router admin account stops this exploit. >>>>>> >>>>>> The other exploit uses a flaw in some older versions of Flash to >>>>>> change the >>>>>> router's DNS settings via uPNP. All they have to do is trick you into >>>>>> watching an infected Flash video. You go to what looks like a normal >>>>>> website >>>>>> with some streaming video. While watching the video your router is >>>>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the >>>>>> router >>>>>> stops this exploit. >>>>>> >>>>>> Doing a hard reset of the router is probably enough to fix a changed >>>>>> DNS >>>>>> setting. I have seen a couple of cases on networks that had highly >>>>>> compromised computers where someone or something had tried to flash >>>>>> the >>>>>> router unsuccessfully and the router was toast. This tells me there >>>>>> may be >>>>>> an exploit that tries to flash a router. That's why I recommended >>>>>> flashing >>>>>> the router. >>>>>> >>>>>> -- >>>>>> Kerry Brown >>>>>> MS-MVP - Windows Desktop Experience: Systems Administration >>>>>> http://www.vistahelp.ca/phpBB2/ >>>>>> >>>>>> >>>>>> >>>> >>> >>></span> >></span> > > > </span> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.