man in the middle

S

sweathog

4 firwalls/antivirus products in one month. I've come the the conclusion that
there is no security on the internet beyond unplugging your machines
permanently. I reformated 3 computors 5 times, reinstalled the windows xp
sp2 and updated, and even went so far as to change the mac addresses on the
network cards. Within days windows system security settings,and product
firewalls would change and it would be downhill from there,not counting the
money spent.

In conclusion I've had to cancel my personal isp and email account,what was
happening was that I would get these trial versions of security software both
downloaded and cds, like them, buy them using https and then they would send
me email confirmation and a link to download the full versions.

Someone had cracked my email and was sending me to spoofed websites. It
didn't matter how often I would reformat and reinstal the os after I found
this out and NOT use the email.

My question is how is this possible that this hacker could still track me?
 
P

PA Bear [MS MVP]

So How Did I Get Infected Anyway?
http://www.wilderssecurity.com/showthread.php?t=27971
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

sweathog wrote:
> 4 firwalls/antivirus products in one month. I've come the the conclusion
> that there is no security on the internet beyond unplugging your machines
> permanently. I reformated 3 computors 5 times, reinstalled the windows
> xp
> sp2 and updated, and even went so far as to change the mac addresses on
> the
> network cards. Within days windows system security settings,and product
> firewalls would change and it would be downhill from there,not counting
> the
> money spent.
>
> In conclusion I've had to cancel my personal isp and email account,what
> was
> happening was that I would get these trial versions of security software
> both downloaded and cds, like them, buy them using https and then they
> would send me email confirmation and a link to download the full versions.
>
> Someone had cracked my email and was sending me to spoofed websites. It
> didn't matter how often I would reformat and reinstal the os after I found
> this out and NOT use the email.
>
> My question is how is this possible that this hacker could still track me?
 
S

sweathog

It is really as I said, there is no security. If this is all microsoft has as
an answer. Watch your active x when downloading free programs.... big deal !
How about wuacle.exe which is the windows update program being modified right
from a clean format and install,after your done with the instalation cd. You
need the active x to run that and you certainly need the updates.

How about including the 92 security patches in new os instalation cds so you
don't have to go on-line to get them as a solution instead.

I'd buy a mac if I was certain that it couldn't also be dns cache poisoning.

To hell with it don't bother replying.

sweathog

"PA Bear [MS MVP]" wrote:

> So How Did I Get Infected Anyway?
> http://www.wilderssecurity.com/showthread.php?t=27971
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
> sweathog wrote:
> > 4 firwalls/antivirus products in one month. I've come the the conclusion
> > that there is no security on the internet beyond unplugging your machines
> > permanently. I reformated 3 computors 5 times, reinstalled the windows
> > xp
> > sp2 and updated, and even went so far as to change the mac addresses on
> > the
> > network cards. Within days windows system security settings,and product
> > firewalls would change and it would be downhill from there,not counting
> > the
> > money spent.
> >
> > In conclusion I've had to cancel my personal isp and email account,what
> > was
> > happening was that I would get these trial versions of security software
> > both downloaded and cds, like them, buy them using https and then they
> > would send me email confirmation and a link to download the full versions.
> >
> > Someone had cracked my email and was sending me to spoofed websites. It
> > didn't matter how often I would reformat and reinstal the os after I found
> > this out and NOT use the email.
> >
> > My question is how is this possible that this hacker could still track me?
>
>
 
S

Shenan Stanley

sweathog wrote:
> 4 firwalls/antivirus products in one month. I've come the the
> conclusion that there is no security on the internet beyond
> unplugging your machines permanently. I reformated 3 computors 5
> times, reinstalled the windows xp sp2 and updated, and even went so
> far as to change the mac addresses on the network cards. Within
> days windows system security settings,and product firewalls would
> change and it would be downhill from there,not counting the money
> spent.
>
> In conclusion I've had to cancel my personal isp and email
> account,what was happening was that I would get these trial
> versions of security software both downloaded and cds, like them,
> buy them using https and then they would send me email confirmation
> and a link to download the full versions.
>
> Someone had cracked my email and was sending me to spoofed
> websites. It didn't matter how often I would reformat and reinstal
> the os after I found this out and NOT use the email.
>
> My question is how is this possible that this hacker could still
> track me?

PA Bear [MS MVP] wrote:
> So How Did I Get Infected Anyway?
> http://www.wilderssecurity.com/showthread.php?t=27971

sweathog wrote:
> It is really as I said, there is no security. If this is all
> microsoft has as an answer. Watch your active x when downloading
> free programs.... big deal ! How about wuacle.exe which is the
> windows update program being modified right from a clean format and
> install,after your done with the instalation cd. You need the
> active x to run that and you certainly need the updates.

You can be hacked in any number of ways - however - given your first post -
either you are being targeted by someone specifically for some vindictive
reason and your skill-set is not enough to match wits with their tools or
just the latter. -P

> How about including the 92 security patches in new os instalation
> cds so you don't have to go on-line to get them as a solution
> instead.

Can be done by you, someone with the ability to follow directions and a CD
burner or in some cases - many more patches are already included in some
versions of the CD you can buy.

> I'd buy a mac if I was certain that it couldn't also be dns cache
> poisoning.

Go ahead - You'll probably run Windows on it as well - most current mac
users do. -)

> To hell with it don't bother replying.

Why not?

You are - as I said - either being targetted and/or don't have the skills
necessary to prevent being hacked. You either are missing something more
obvious each time you supposedly 'start fresh' or whom ever is targeting you
has inside information that allows them to take over.

With a decent and properly configured NAT router, the Windows Firewall, a
good and properly obtained and updated AntiVirus and no 'questionable'
applications installed (trusted apps only, original installation media,
etc.) - what you say is happening to you would not happen without a slip up
on your part or someone who has inside access already.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
B

BoaterDave

Will Windows XP SP3, when available, help in this regard?

Will SP3 be available on a CD .......... anyone know? TIA.

BD

__
"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:u26jGJUiIHA.2540@TK2MSFTNGP05.phx.gbl...
>
> With a decent and properly configured NAT router, the Windows Firewall, a
> good and properly obtained and updated AntiVirus and no 'questionable'
> applications installed (trusted apps only, original installation media,
> etc.) - what you say is happening to you would not happen without a slip
> up on your part or someone who has inside access already.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
 
S

sweathog

I'm sorry I'm way beyond frustrated. I have no difficulty in admitting the
opposition is much better than I in witts and skill. This isn't my trade.
Okay to continue... the only way I could get all the 92 windows update
patches was with a fixed ip address at work and behind their firewall.After
that...Use of any dynamic ip address,with mac address changed, just wouldn't
remain secure. And further formattes and reinstals I'd just get failures to
install certain patches,that is with Norton 360 cd loaded as well as
Kasperskys 2008 loaded and installed at different times. Trend micro, and
pctools I had downloaded. (and yes I also have a dlink 604 router)

i don't download any crap. period we're talking one authentic windows xp
and its updates
and one firewall/antivirusand its updates NO FURTHER SURFING ATALL
,




Shenan Stanley" wrote:

> sweathog wrote:
> > 4 firwalls/antivirus products in one month. I've come the the
> > conclusion that there is no security on the internet beyond
> > unplugging your machines permanently. I reformated 3 computors 5
> > times, reinstalled the windows xp sp2 and updated, and even went so
> > far as to change the mac addresses on the network cards. Within
> > days windows system security settings,and product firewalls would
> > change and it would be downhill from there,not counting the money
> > spent.
> >
> > In conclusion I've had to cancel my personal isp and email
> > account,what was happening was that I would get these trial
> > versions of security software both downloaded and cds, like them,
> > buy them using https and then they would send me email confirmation
> > and a link to download the full versions.
> >
> > Someone had cracked my email and was sending me to spoofed
> > websites. It didn't matter how often I would reformat and reinstal
> > the os after I found this out and NOT use the email.
> >
> > My question is how is this possible that this hacker could still
> > track me?
>
> PA Bear [MS MVP] wrote:
> > So How Did I Get Infected Anyway?
> > http://www.wilderssecurity.com/showthread.php?t=27971
>
> sweathog wrote:
> > It is really as I said, there is no security. If this is all
> > microsoft has as an answer. Watch your active x when downloading
> > free programs.... big deal ! How about wuacle.exe which is the
> > windows update program being modified right from a clean format and
> > install,after your done with the instalation cd. You need the
> > active x to run that and you certainly need the updates.
>
> You can be hacked in any number of ways - however - given your first post -
> either you are being targeted by someone specifically for some vindictive
> reason and your skill-set is not enough to match wits with their tools or
> just the latter. -P
>
> > How about including the 92 security patches in new os instalation
> > cds so you don't have to go on-line to get them as a solution
> > instead.
>
> Can be done by you, someone with the ability to follow directions and a CD
> burner or in some cases - many more patches are already included in some
> versions of the CD you can buy.
>
> > I'd buy a mac if I was certain that it couldn't also be dns cache
> > poisoning.
>
> Go ahead - You'll probably run Windows on it as well - most current mac
> users do. -)
>
> > To hell with it don't bother replying.
>
> Why not?
>
> You are - as I said - either being targetted and/or don't have the skills
> necessary to prevent being hacked. You either are missing something more
> obvious each time you supposedly 'start fresh' or whom ever is targeting you
> has inside information that allows them to take over.
>
> With a decent and properly configured NAT router, the Windows Firewall, a
> good and properly obtained and updated AntiVirus and no 'questionable'
> applications installed (trusted apps only, original installation media,
> etc.) - what you say is happening to you would not happen without a slip up
> on your part or someone who has inside access already.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
 
K

Kerry Brown

It sounds like your router may have been compromised.

Unplug one of your computers from the router. Do a clean install of Windows
on this computer making sure you delete all partitions then recreate them
during the install. Leave this computer unplugged from the router. Don't
worry about updating it just yet. On a different computer download the
latest firmware for your router. Burn this file to a CD or copy it to a
flash drive. Make sure there are no other files on the CD or flash drive.
Unplug all of the computers from the router. Unplug the router from the
Internet. Reset the router to the factory defaults. Plug in the computer
with the fresh Windows install. Use it to flash the router with the
downloaded firmware. Reset the router again. Set a password for the admin
account. Plug the router back in to the Internet and update this computer.
Do not plug in any of the other computers until they have been wiped clean
and a fresh install of Windows done.

The key is to flash the router with a clean computer then set a password on
the router before reconnecting to the Internet.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



"sweathog" <sweathog@discussions.microsoft.com> wrote in message
news:046E1C80-CFEB-48C4-A37B-F10C639BA204@microsoft.com...
> I'm sorry I'm way beyond frustrated. I have no difficulty in admitting
> the
> opposition is much better than I in witts and skill. This isn't my trade.
> Okay to continue... the only way I could get all the 92 windows update
> patches was with a fixed ip address at work and behind their
> firewall.After
> that...Use of any dynamic ip address,with mac address changed, just
> wouldn't
> remain secure. And further formattes and reinstals I'd just get failures
> to
> install certain patches,that is with Norton 360 cd loaded as well as
> Kasperskys 2008 loaded and installed at different times. Trend micro, and
> pctools I had downloaded. (and yes I also have a dlink 604 router)
>
> i don't download any crap. period we're talking one authentic windows xp
> and its updates
> and one firewall/antivirusand its updates NO FURTHER SURFING ATALL
> ,
>
>
>
>
> Shenan Stanley" wrote:
>
>> sweathog wrote:
>> > 4 firwalls/antivirus products in one month. I've come the the
>> > conclusion that there is no security on the internet beyond
>> > unplugging your machines permanently. I reformated 3 computors 5
>> > times, reinstalled the windows xp sp2 and updated, and even went so
>> > far as to change the mac addresses on the network cards. Within
>> > days windows system security settings,and product firewalls would
>> > change and it would be downhill from there,not counting the money
>> > spent.
>> >
>> > In conclusion I've had to cancel my personal isp and email
>> > account,what was happening was that I would get these trial
>> > versions of security software both downloaded and cds, like them,
>> > buy them using https and then they would send me email confirmation
>> > and a link to download the full versions.
>> >
>> > Someone had cracked my email and was sending me to spoofed
>> > websites. It didn't matter how often I would reformat and reinstal
>> > the os after I found this out and NOT use the email.
>> >
>> > My question is how is this possible that this hacker could still
>> > track me?
>>
>> PA Bear [MS MVP] wrote:
>> > So How Did I Get Infected Anyway?
>> > http://www.wilderssecurity.com/showthread.php?t=27971
>>
>> sweathog wrote:
>> > It is really as I said, there is no security. If this is all
>> > microsoft has as an answer. Watch your active x when downloading
>> > free programs.... big deal ! How about wuacle.exe which is the
>> > windows update program being modified right from a clean format and
>> > install,after your done with the instalation cd. You need the
>> > active x to run that and you certainly need the updates.
>>
>> You can be hacked in any number of ways - however - given your first
>> post -
>> either you are being targeted by someone specifically for some vindictive
>> reason and your skill-set is not enough to match wits with their tools or
>> just the latter. -P
>>
>> > How about including the 92 security patches in new os instalation
>> > cds so you don't have to go on-line to get them as a solution
>> > instead.
>>
>> Can be done by you, someone with the ability to follow directions and a
>> CD
>> burner or in some cases - many more patches are already included in some
>> versions of the CD you can buy.
>>
>> > I'd buy a mac if I was certain that it couldn't also be dns cache
>> > poisoning.
>>
>> Go ahead - You'll probably run Windows on it as well - most current mac
>> users do. -)
>>
>> > To hell with it don't bother replying.
>>
>> Why not?
>>
>> You are - as I said - either being targetted and/or don't have the skills
>> necessary to prevent being hacked. You either are missing something more
>> obvious each time you supposedly 'start fresh' or whom ever is targeting
>> you
>> has inside information that allows them to take over.
>>
>> With a decent and properly configured NAT router, the Windows Firewall, a
>> good and properly obtained and updated AntiVirus and no 'questionable'
>> applications installed (trusted apps only, original installation media,
>> etc.) - what you say is happening to you would not happen without a slip
>> up
>> on your part or someone who has inside access already.
>>
>> --
>> Shenan Stanley
>> MS-MVP
>> --
>> How To Ask Questions The Smart Way
>> http://www.catb.org/~esr/faqs/smart-questions.html
>>
>>
>>
 
K

Kerry Brown

I forgot to add - Turn off uPNP on the router after you flash it, reset it,
and add an admin password.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:362DBFF1-1199-47A0-81E0-1E4446F91F81@microsoft.com...
> It sounds like your router may have been compromised.
>
> Unplug one of your computers from the router. Do a clean install of
> Windows on this computer making sure you delete all partitions then
> recreate them during the install. Leave this computer unplugged from the
> router. Don't worry about updating it just yet. On a different computer
> download the latest firmware for your router. Burn this file to a CD or
> copy it to a flash drive. Make sure there are no other files on the CD or
> flash drive. Unplug all of the computers from the router. Unplug the
> router from the Internet. Reset the router to the factory defaults. Plug
> in the computer with the fresh Windows install. Use it to flash the router
> with the downloaded firmware. Reset the router again. Set a password for
> the admin account. Plug the router back in to the Internet and update this
> computer. Do not plug in any of the other computers until they have been
> wiped clean and a fresh install of Windows done.
>
> The key is to flash the router with a clean computer then set a password
> on the router before reconnecting to the Internet.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
>
>
> "sweathog" <sweathog@discussions.microsoft.com> wrote in message
> news:046E1C80-CFEB-48C4-A37B-F10C639BA204@microsoft.com...
>> I'm sorry I'm way beyond frustrated. I have no difficulty in admitting
>> the
>> opposition is much better than I in witts and skill. This isn't my trade.
>> Okay to continue... the only way I could get all the 92 windows update
>> patches was with a fixed ip address at work and behind their
>> firewall.After
>> that...Use of any dynamic ip address,with mac address changed, just
>> wouldn't
>> remain secure. And further formattes and reinstals I'd just get failures
>> to
>> install certain patches,that is with Norton 360 cd loaded as well as
>> Kasperskys 2008 loaded and installed at different times. Trend micro, and
>> pctools I had downloaded. (and yes I also have a dlink 604 router)
>>
>> i don't download any crap. period we're talking one authentic windows xp
>> and its updates
>> and one firewall/antivirusand its updates NO FURTHER SURFING ATALL
>> ,
>>
>>
>>
>>
>> Shenan Stanley" wrote:
>>
>>> sweathog wrote:
>>> > 4 firwalls/antivirus products in one month. I've come the the
>>> > conclusion that there is no security on the internet beyond
>>> > unplugging your machines permanently. I reformated 3 computors 5
>>> > times, reinstalled the windows xp sp2 and updated, and even went so
>>> > far as to change the mac addresses on the network cards. Within
>>> > days windows system security settings,and product firewalls would
>>> > change and it would be downhill from there,not counting the money
>>> > spent.
>>> >
>>> > In conclusion I've had to cancel my personal isp and email
>>> > account,what was happening was that I would get these trial
>>> > versions of security software both downloaded and cds, like them,
>>> > buy them using https and then they would send me email confirmation
>>> > and a link to download the full versions.
>>> >
>>> > Someone had cracked my email and was sending me to spoofed
>>> > websites. It didn't matter how often I would reformat and reinstal
>>> > the os after I found this out and NOT use the email.
>>> >
>>> > My question is how is this possible that this hacker could still
>>> > track me?
>>>
>>> PA Bear [MS MVP] wrote:
>>> > So How Did I Get Infected Anyway?
>>> > http://www.wilderssecurity.com/showthread.php?t=27971
>>>
>>> sweathog wrote:
>>> > It is really as I said, there is no security. If this is all
>>> > microsoft has as an answer. Watch your active x when downloading
>>> > free programs.... big deal ! How about wuacle.exe which is the
>>> > windows update program being modified right from a clean format and
>>> > install,after your done with the instalation cd. You need the
>>> > active x to run that and you certainly need the updates.
>>>
>>> You can be hacked in any number of ways - however - given your first
>>> post -
>>> either you are being targeted by someone specifically for some
>>> vindictive
>>> reason and your skill-set is not enough to match wits with their tools
>>> or
>>> just the latter. -P
>>>
>>> > How about including the 92 security patches in new os instalation
>>> > cds so you don't have to go on-line to get them as a solution
>>> > instead.
>>>
>>> Can be done by you, someone with the ability to follow directions and a
>>> CD
>>> burner or in some cases - many more patches are already included in some
>>> versions of the CD you can buy.
>>>
>>> > I'd buy a mac if I was certain that it couldn't also be dns cache
>>> > poisoning.
>>>
>>> Go ahead - You'll probably run Windows on it as well - most current mac
>>> users do. -)
>>>
>>> > To hell with it don't bother replying.
>>>
>>> Why not?
>>>
>>> You are - as I said - either being targetted and/or don't have the
>>> skills
>>> necessary to prevent being hacked. You either are missing something
>>> more
>>> obvious each time you supposedly 'start fresh' or whom ever is targeting
>>> you
>>> has inside information that allows them to take over.
>>>
>>> With a decent and properly configured NAT router, the Windows Firewall,
>>> a
>>> good and properly obtained and updated AntiVirus and no 'questionable'
>>> applications installed (trusted apps only, original installation media,
>>> etc.) - what you say is happening to you would not happen without a slip
>>> up
>>> on your part or someone who has inside access already.
>>>
>>> --
>>> Shenan Stanley
>>> MS-MVP
>>> --
>>> How To Ask Questions The Smart Way
>>> http://www.catb.org/~esr/faqs/smart-questions.html
>>>
>>>
>>>
>
 
B

BoaterDave

Hello Kerry Brown :)

I feel there is much merit in what you say. FYI I did raise this topic here
http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
before I became persona non grata at AumHa.

Are you aware of any way to check whether or not a router has been
compromised - *before* one follows the procedure you have outlined. I should
be interested to learn more about this subject. Do you (or anyone else
reading here) have any pointers as to where to begin?

I found this item which I found interesting - others may too:-
http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026

A fairly recent news item here, too:
http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html

--
Dave


"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:3DC4DC0A-9FCB-43ED-94AD-97E1F2975E0E@microsoft.com...
>I forgot to add - Turn off uPNP on the router after you flash it, reset it,
>and add an admin password.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
>
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:362DBFF1-1199-47A0-81E0-1E4446F91F81@microsoft.com...
>> It sounds like your router may have been compromised.
>>
>> Unplug one of your computers from the router. Do a clean install of
>> Windows on this computer making sure you delete all partitions then
>> recreate them during the install. Leave this computer unplugged from the
>> router. Don't worry about updating it just yet. On a different computer
>> download the latest firmware for your router. Burn this file to a CD or
>> copy it to a flash drive. Make sure there are no other files on the CD or
>> flash drive. Unplug all of the computers from the router. Unplug the
>> router from the Internet. Reset the router to the factory defaults. Plug
>> in the computer with the fresh Windows install. Use it to flash the
>> router with the downloaded firmware. Reset the router again. Set a
>> password for the admin account. Plug the router back in to the Internet
>> and update this computer. Do not plug in any of the other computers until
>> they have been wiped clean and a fresh install of Windows done.
>>
>> The key is to flash the router with a clean computer then set a password
>> on the router before reconnecting to the Internet.
>>
>> --
>> Kerry Brown
>> MS-MVP - Windows Desktop Experience: Systems Administration
>> http://www.vistahelp.ca/phpBB2/
>>
>>
>>
>> "sweathog" <sweathog@discussions.microsoft.com> wrote in message
>> news:046E1C80-CFEB-48C4-A37B-F10C639BA204@microsoft.com...
>>> I'm sorry I'm way beyond frustrated. I have no difficulty in admitting
>>> the
>>> opposition is much better than I in witts and skill. This isn't my
>>> trade.
>>> Okay to continue... the only way I could get all the 92 windows update
>>> patches was with a fixed ip address at work and behind their
>>> firewall.After
>>> that...Use of any dynamic ip address,with mac address changed, just
>>> wouldn't
>>> remain secure. And further formattes and reinstals I'd just get failures
>>> to
>>> install certain patches,that is with Norton 360 cd loaded as well as
>>> Kasperskys 2008 loaded and installed at different times. Trend micro,
>>> and
>>> pctools I had downloaded. (and yes I also have a dlink 604 router)
>>>
>>> i don't download any crap. period we're talking one authentic windows
>>> xp
>>> and its updates
>>> and one firewall/antivirusand its updates NO FURTHER SURFING ATALL
>>> ,
>>>
>>>
>>>
>>>
>>> Shenan Stanley" wrote:
>>>
>>>> sweathog wrote:
>>>> > 4 firwalls/antivirus products in one month. I've come the the
>>>> > conclusion that there is no security on the internet beyond
>>>> > unplugging your machines permanently. I reformated 3 computors 5
>>>> > times, reinstalled the windows xp sp2 and updated, and even went so
>>>> > far as to change the mac addresses on the network cards. Within
>>>> > days windows system security settings,and product firewalls would
>>>> > change and it would be downhill from there,not counting the money
>>>> > spent.
>>>> >
>>>> > In conclusion I've had to cancel my personal isp and email
>>>> > account,what was happening was that I would get these trial
>>>> > versions of security software both downloaded and cds, like them,
>>>> > buy them using https and then they would send me email confirmation
>>>> > and a link to download the full versions.
>>>> >
>>>> > Someone had cracked my email and was sending me to spoofed
>>>> > websites. It didn't matter how often I would reformat and reinstal
>>>> > the os after I found this out and NOT use the email.
>>>> >
>>>> > My question is how is this possible that this hacker could still
>>>> > track me?
>>>>
>>>> PA Bear [MS MVP] wrote:
>>>> > So How Did I Get Infected Anyway?
>>>> > http://www.wilderssecurity.com/showthread.php?t=27971
>>>>
>>>> sweathog wrote:
>>>> > It is really as I said, there is no security. If this is all
>>>> > microsoft has as an answer. Watch your active x when downloading
>>>> > free programs.... big deal ! How about wuacle.exe which is the
>>>> > windows update program being modified right from a clean format and
>>>> > install,after your done with the instalation cd. You need the
>>>> > active x to run that and you certainly need the updates.
>>>>
>>>> You can be hacked in any number of ways - however - given your first
>>>> post -
>>>> either you are being targeted by someone specifically for some
>>>> vindictive
>>>> reason and your skill-set is not enough to match wits with their tools
>>>> or
>>>> just the latter. -P
>>>>
>>>> > How about including the 92 security patches in new os instalation
>>>> > cds so you don't have to go on-line to get them as a solution
>>>> > instead.
>>>>
>>>> Can be done by you, someone with the ability to follow directions and a
>>>> CD
>>>> burner or in some cases - many more patches are already included in
>>>> some
>>>> versions of the CD you can buy.
>>>>
>>>> > I'd buy a mac if I was certain that it couldn't also be dns cache
>>>> > poisoning.
>>>>
>>>> Go ahead - You'll probably run Windows on it as well - most current mac
>>>> users do. -)
>>>>
>>>> > To hell with it don't bother replying.
>>>>
>>>> Why not?
>>>>
>>>> You are - as I said - either being targetted and/or don't have the
>>>> skills
>>>> necessary to prevent being hacked. You either are missing something
>>>> more
>>>> obvious each time you supposedly 'start fresh' or whom ever is
>>>> targeting you
>>>> has inside information that allows them to take over.
>>>>
>>>> With a decent and properly configured NAT router, the Windows Firewall,
>>>> a
>>>> good and properly obtained and updated AntiVirus and no 'questionable'
>>>> applications installed (trusted apps only, original installation media,
>>>> etc.) - what you say is happening to you would not happen without a
>>>> slip up
>>>> on your part or someone who has inside access already.
>>>>
>>>> --
>>>> Shenan Stanley
>>>> MS-MVP
>>>> --
>>>> How To Ask Questions The Smart Way
>>>> http://www.catb.org/~esr/faqs/smart-questions.html
>>>>
>>>>
>>>>
>>
>
>
 
S

Shenan Stanley

Entire Conversation:
http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76



Kerry Brown wrote:
> It sounds like your router may have been compromised.
>
> Unplug one of your computers from the router. Do a clean install of
> Windows on this computer making sure you delete all partitions then
> recreate them during the install. Leave this computer unplugged
> from the router. Don't worry about updating it just yet. On a
> different computer download the latest firmware for your router.
> Burn this file to a CD or copy it to a flash drive. Make sure there
> are no other files on the CD or flash drive. Unplug all of the
> computers from the router. Unplug the router from the Internet.
> Reset the router to the factory defaults. Plug in the computer with
> the fresh Windows install. Use it to flash the router with the
> downloaded firmware. Reset the router again. Set a password for the
> admin account. Plug the router back in to the Internet and update
> this computer. Do not plug in any of the other computers until they
> have been wiped clean and a fresh install of Windows done.
> The key is to flash the router with a clean computer then set a
> password on the router before reconnecting to the Internet.

BoaterDave wrote:
> I feel there is much merit in what you say. FYI I did raise this
> topic here
> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
> before I became persona non grata at AumHa.
> Are you aware of any way to check whether or not a router has been
> compromised - *before* one follows the procedure you have outlined.
> I should be interested to learn more about this subject. Do you (or
> anyone else reading here) have any pointers as to where to begin?
>
> I found this item which I found interesting - others may too:-
> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>
> A fairly recent news item here, too:
> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html

While I know of no way to find out if a router has been compromised - if
there is even one ounce of suspicion that it could have been compromised -
it would be better to reset the router to defaults, set a new password
(strong one) on it, leave remote management turned off, make sure wireless
(if a feature of said router) is using WPA or WPA2 at least for security,
etc.

What makes that even better is doing that 'offline' - the router does not
need a Internet connection for any of that.

In this particular case (that where the original poster seems to have been
targeted in some way - or overlooking some part of re-securing their entire
system (not just the computer)) - the advice is spot-on in my opinion.
Start from the first piece of equipment you can control and work your way
through to the last - keeping them all 'offline' until you have changed the
setup on all of them and secured them to the best of your ability.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
K

Kerry Brown

"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
> Entire Conversation:
> http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
>
>
>
> Kerry Brown wrote:
>> It sounds like your router may have been compromised.
>>
>> Unplug one of your computers from the router. Do a clean install of
>> Windows on this computer making sure you delete all partitions then
>> recreate them during the install. Leave this computer unplugged
>> from the router. Don't worry about updating it just yet. On a
>> different computer download the latest firmware for your router.
>> Burn this file to a CD or copy it to a flash drive. Make sure there
>> are no other files on the CD or flash drive. Unplug all of the
>> computers from the router. Unplug the router from the Internet.
>> Reset the router to the factory defaults. Plug in the computer with
>> the fresh Windows install. Use it to flash the router with the
>> downloaded firmware. Reset the router again. Set a password for the
>> admin account. Plug the router back in to the Internet and update
>> this computer. Do not plug in any of the other computers until they
>> have been wiped clean and a fresh install of Windows done.
>> The key is to flash the router with a clean computer then set a
>> password on the router before reconnecting to the Internet.
>
> BoaterDave wrote:
>> I feel there is much merit in what you say. FYI I did raise this
>> topic here
>> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
>> before I became persona non grata at AumHa.
>> Are you aware of any way to check whether or not a router has been
>> compromised - *before* one follows the procedure you have outlined.
>> I should be interested to learn more about this subject. Do you (or
>> anyone else reading here) have any pointers as to where to begin?
>>
>> I found this item which I found interesting - others may too:-
>> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>>
>> A fairly recent news item here, too:
>> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
>
> While I know of no way to find out if a router has been compromised - if
> there is even one ounce of suspicion that it could have been compromised -
> it would be better to reset the router to defaults, set a new password
> (strong one) on it, leave remote management turned off, make sure wireless
> (if a feature of said router) is using WPA or WPA2 at least for security,
> etc.
>
> What makes that even better is doing that 'offline' - the router does not
> need a Internet connection for any of that.
>
> In this particular case (that where the original poster seems to have been
> targeted in some way - or overlooking some part of re-securing their
> entire system (not just the computer)) - the advice is spot-on in my
> opinion. Start from the first piece of equipment you can control and work
> your way through to the last - keeping them all 'offline' until you have
> changed the setup on all of them and secured them to the best of your
> ability.
>


There's currently two exploits for routers I know of. They both change the
DNS servers the router uses to compromised DNS servers. This means whatever
url you type in isn't necessarily where you end up. They can use the
compromised DNS servers to send you wherever they want. You type in
www.google.com and end up at some malware site that tries every trick in the
book to get more malware on your computer or more likely a site that is full
of advertising where you are enticed to click on ad links while trying to
get to where you wanted to go in the first place. It's a vicious circle.
Every legitimate site you try to go to you're redirected to a non-legitimate
site. They can even let you get to legitimate online AV sites to scan the
computer. Because the router is compromised, not the computer, all the AV
scans come up negative. The original trojan that compromised the router has
long since erased itself.

One exploit is a trojan that probes common IP addresses for a router. If it
finds one it takes advantage of the fact that most people never set a
password on the router and reprograms the DNS settings. The trojan tries a
few common passwords as well as no password. Setting a strong password on
the router admin account stops this exploit.

The other exploit uses a flaw in some older versions of Flash to change the
router's DNS settings via uPNP. All they have to do is trick you into
watching an infected Flash video. You go to what looks like a normal website
with some streaming video. While watching the video your router is
reprogrammed. Keeping Flash up to date and/or turning off uPNP on the router
stops this exploit.

Doing a hard reset of the router is probably enough to fix a changed DNS
setting. I have seen a couple of cases on networks that had highly
compromised computers where someone or something had tried to flash the
router unsuccessfully and the router was toast. This tells me there may be
an exploit that tries to flash a router. That's why I recommended flashing
the router.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
 
S

sweathog

Thanks for the help all you guys...but flashing the router was one of the
first things I tried,and you are correct the router is now toast,somehow the
mac address of it went to 00 00 00 00 00 00 and it won't let me back
in...although it still passes traffic.

Afew other symptoms, when I first noticed the problem usb mouse would
freeze, (nothing wrong with the mouse) quickly switching usb ports would
reactivate it. Thought it was a hardware problem because the connection to
the motherboard was a bit sloppy... problem went away for a month. Problem
returned after that but this time usb connection was solid.

When I tried to pay for pctools product using https the web page would
appear back as transaction incomplete, credit card showed 4 copies of the
product.

Anyways I"ve had to change credit card, cancel isp and email and I've had
enough...thanks for your time and interest.

I live in an isolated community way in the bush, people come to me to fix
their computors. No one complained yet and the machines were clean, but
yesterday I had to go to a big city some 400 miles away, while doing some
business ,there was 4 or 5 customers with me waiting in line to be served.
Got to talking computors, 3 of them said that they were doing the same as me.
unplugging the machines. One young fellow said "So what ?" " don't bother
with firewalls, viruses, etc., etc., Just reformat once a month who cares
what is on the machine."

"Kerry Brown" wrote:

> "Shenan Stanley" <newshelper@gmail.com> wrote in message
> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
> > Entire Conversation:
> > http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
> >
> >
> >
> > Kerry Brown wrote:
> >> It sounds like your router may have been compromised.
> >>
> >> Unplug one of your computers from the router. Do a clean install of
> >> Windows on this computer making sure you delete all partitions then
> >> recreate them during the install. Leave this computer unplugged
> >> from the router. Don't worry about updating it just yet. On a
> >> different computer download the latest firmware for your router.
> >> Burn this file to a CD or copy it to a flash drive. Make sure there
> >> are no other files on the CD or flash drive. Unplug all of the
> >> computers from the router. Unplug the router from the Internet.
> >> Reset the router to the factory defaults. Plug in the computer with
> >> the fresh Windows install. Use it to flash the router with the
> >> downloaded firmware. Reset the router again. Set a password for the
> >> admin account. Plug the router back in to the Internet and update
> >> this computer. Do not plug in any of the other computers until they
> >> have been wiped clean and a fresh install of Windows done.
> >> The key is to flash the router with a clean computer then set a
> >> password on the router before reconnecting to the Internet.
> >
> > BoaterDave wrote:
> >> I feel there is much merit in what you say. FYI I did raise this
> >> topic here
> >> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
> >> before I became persona non grata at AumHa.
> >> Are you aware of any way to check whether or not a router has been
> >> compromised - *before* one follows the procedure you have outlined.
> >> I should be interested to learn more about this subject. Do you (or
> >> anyone else reading here) have any pointers as to where to begin?
> >>
> >> I found this item which I found interesting - others may too:-
> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
> >>
> >> A fairly recent news item here, too:
> >> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
> >
> > While I know of no way to find out if a router has been compromised - if
> > there is even one ounce of suspicion that it could have been compromised -
> > it would be better to reset the router to defaults, set a new password
> > (strong one) on it, leave remote management turned off, make sure wireless
> > (if a feature of said router) is using WPA or WPA2 at least for security,
> > etc.
> >
> > What makes that even better is doing that 'offline' - the router does not
> > need a Internet connection for any of that.
> >
> > In this particular case (that where the original poster seems to have been
> > targeted in some way - or overlooking some part of re-securing their
> > entire system (not just the computer)) - the advice is spot-on in my
> > opinion. Start from the first piece of equipment you can control and work
> > your way through to the last - keeping them all 'offline' until you have
> > changed the setup on all of them and secured them to the best of your
> > ability.
> >
>
>
> There's currently two exploits for routers I know of. They both change the
> DNS servers the router uses to compromised DNS servers. This means whatever
> url you type in isn't necessarily where you end up. They can use the
> compromised DNS servers to send you wherever they want. You type in
> www.google.com and end up at some malware site that tries every trick in the
> book to get more malware on your computer or more likely a site that is full
> of advertising where you are enticed to click on ad links while trying to
> get to where you wanted to go in the first place. It's a vicious circle.
> Every legitimate site you try to go to you're redirected to a non-legitimate
> site. They can even let you get to legitimate online AV sites to scan the
> computer. Because the router is compromised, not the computer, all the AV
> scans come up negative. The original trojan that compromised the router has
> long since erased itself.
>
> One exploit is a trojan that probes common IP addresses for a router. If it
> finds one it takes advantage of the fact that most people never set a
> password on the router and reprograms the DNS settings. The trojan tries a
> few common passwords as well as no password. Setting a strong password on
> the router admin account stops this exploit.
>
> The other exploit uses a flaw in some older versions of Flash to change the
> router's DNS settings via uPNP. All they have to do is trick you into
> watching an infected Flash video. You go to what looks like a normal website
> with some streaming video. While watching the video your router is
> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the router
> stops this exploit.
>
> Doing a hard reset of the router is probably enough to fix a changed DNS
> setting. I have seen a couple of cases on networks that had highly
> compromised computers where someone or something had tried to flash the
> router unsuccessfully and the router was toast. This tells me there may be
> an exploit that tries to flash a router. That's why I recommended flashing
> the router.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
>
>
 
K

Kerry Brown

Reformatting once a month is a bit drastic. Keeping all your programs up to
date including an AV, and using common sense when surfing is sufficient for
most people. Router exploits are thankfully quite rare and easily protected
against so far.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



"sweathog" <sweathog@discussions.microsoft.com> wrote in message
news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...
> Thanks for the help all you guys...but flashing the router was one of the
> first things I tried,and you are correct the router is now toast,somehow
> the
> mac address of it went to 00 00 00 00 00 00 and it won't let me back
> in...although it still passes traffic.
>
> Afew other symptoms, when I first noticed the problem usb mouse would
> freeze, (nothing wrong with the mouse) quickly switching usb ports would
> reactivate it. Thought it was a hardware problem because the connection to
> the motherboard was a bit sloppy... problem went away for a month.
> Problem
> returned after that but this time usb connection was solid.
>
> When I tried to pay for pctools product using https the web page would
> appear back as transaction incomplete, credit card showed 4 copies of the
> product.
>
> Anyways I"ve had to change credit card, cancel isp and email and I've had
> enough...thanks for your time and interest.
>
> I live in an isolated community way in the bush, people come to me to fix
> their computors. No one complained yet and the machines were clean, but
> yesterday I had to go to a big city some 400 miles away, while doing some
> business ,there was 4 or 5 customers with me waiting in line to be
> served.
> Got to talking computors, 3 of them said that they were doing the same as
> me.
> unplugging the machines. One young fellow said "So what ?" " don't bother
> with firewalls, viruses, etc., etc., Just reformat once a month who cares
> what is on the machine."
>
> "Kerry Brown" wrote:
>
>> "Shenan Stanley" <newshelper@gmail.com> wrote in message
>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
>> > Entire Conversation:
>> > http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
>> >
>> >
>> >
>> > Kerry Brown wrote:
>> >> It sounds like your router may have been compromised.
>> >>
>> >> Unplug one of your computers from the router. Do a clean install of
>> >> Windows on this computer making sure you delete all partitions then
>> >> recreate them during the install. Leave this computer unplugged
>> >> from the router. Don't worry about updating it just yet. On a
>> >> different computer download the latest firmware for your router.
>> >> Burn this file to a CD or copy it to a flash drive. Make sure there
>> >> are no other files on the CD or flash drive. Unplug all of the
>> >> computers from the router. Unplug the router from the Internet.
>> >> Reset the router to the factory defaults. Plug in the computer with
>> >> the fresh Windows install. Use it to flash the router with the
>> >> downloaded firmware. Reset the router again. Set a password for the
>> >> admin account. Plug the router back in to the Internet and update
>> >> this computer. Do not plug in any of the other computers until they
>> >> have been wiped clean and a fresh install of Windows done.
>> >> The key is to flash the router with a clean computer then set a
>> >> password on the router before reconnecting to the Internet.
>> >
>> > BoaterDave wrote:
>> >> I feel there is much merit in what you say. FYI I did raise this
>> >> topic here
>> >> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
>> >> before I became persona non grata at AumHa.
>> >> Are you aware of any way to check whether or not a router has been
>> >> compromised - *before* one follows the procedure you have outlined.
>> >> I should be interested to learn more about this subject. Do you (or
>> >> anyone else reading here) have any pointers as to where to begin?
>> >>
>> >> I found this item which I found interesting - others may too:-
>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>> >>
>> >> A fairly recent news item here, too:
>> >> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
>> >
>> > While I know of no way to find out if a router has been compromised -
>> > if
>> > there is even one ounce of suspicion that it could have been
>> > compromised -
>> > it would be better to reset the router to defaults, set a new password
>> > (strong one) on it, leave remote management turned off, make sure
>> > wireless
>> > (if a feature of said router) is using WPA or WPA2 at least for
>> > security,
>> > etc.
>> >
>> > What makes that even better is doing that 'offline' - the router does
>> > not
>> > need a Internet connection for any of that.
>> >
>> > In this particular case (that where the original poster seems to have
>> > been
>> > targeted in some way - or overlooking some part of re-securing their
>> > entire system (not just the computer)) - the advice is spot-on in my
>> > opinion. Start from the first piece of equipment you can control and
>> > work
>> > your way through to the last - keeping them all 'offline' until you
>> > have
>> > changed the setup on all of them and secured them to the best of your
>> > ability.
>> >
>>
>>
>> There's currently two exploits for routers I know of. They both change
>> the
>> DNS servers the router uses to compromised DNS servers. This means
>> whatever
>> url you type in isn't necessarily where you end up. They can use the
>> compromised DNS servers to send you wherever they want. You type in
>> www.google.com and end up at some malware site that tries every trick in
>> the
>> book to get more malware on your computer or more likely a site that is
>> full
>> of advertising where you are enticed to click on ad links while trying to
>> get to where you wanted to go in the first place. It's a vicious circle.
>> Every legitimate site you try to go to you're redirected to a
>> non-legitimate
>> site. They can even let you get to legitimate online AV sites to scan the
>> computer. Because the router is compromised, not the computer, all the AV
>> scans come up negative. The original trojan that compromised the router
>> has
>> long since erased itself.
>>
>> One exploit is a trojan that probes common IP addresses for a router. If
>> it
>> finds one it takes advantage of the fact that most people never set a
>> password on the router and reprograms the DNS settings. The trojan tries
>> a
>> few common passwords as well as no password. Setting a strong password on
>> the router admin account stops this exploit.
>>
>> The other exploit uses a flaw in some older versions of Flash to change
>> the
>> router's DNS settings via uPNP. All they have to do is trick you into
>> watching an infected Flash video. You go to what looks like a normal
>> website
>> with some streaming video. While watching the video your router is
>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the
>> router
>> stops this exploit.
>>
>> Doing a hard reset of the router is probably enough to fix a changed DNS
>> setting. I have seen a couple of cases on networks that had highly
>> compromised computers where someone or something had tried to flash the
>> router unsuccessfully and the router was toast. This tells me there may
>> be
>> an exploit that tries to flash a router. That's why I recommended
>> flashing
>> the router.
>>
>> --
>> Kerry Brown
>> MS-MVP - Windows Desktop Experience: Systems Administration
>> http://www.vistahelp.ca/phpBB2/
>>
>>
>>
 
J

jen

Have you read these reports?

Hacking The Interwebs:
http://www.gnucitizen.org/blog/hacking-the-interwebs/
Holes in Embedded Devices: Authentication bypass (pt 4):
http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4/
Router Hacking Challenge:
http://www.gnucitizen.org/projects/router-hacking-challenge/

-jen

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...
> Reformatting once a month is a bit drastic. Keeping all your programs
> up to date including an AV, and using common sense when surfing is
> sufficient for most people. Router exploits are thankfully quite rare
> and easily protected against so far.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
>
>
> "sweathog" <sweathog@discussions.microsoft.com> wrote in message
> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...
>> Thanks for the help all you guys...but flashing the router was one of
>> the
>> first things I tried,and you are correct the router is now
>> toast,somehow the
>> mac address of it went to 00 00 00 00 00 00 and it won't let me back
>> in...although it still passes traffic.
>>
>> Afew other symptoms, when I first noticed the problem usb mouse would
>> freeze, (nothing wrong with the mouse) quickly switching usb ports
>> would
>> reactivate it. Thought it was a hardware problem because the
>> connection to
>> the motherboard was a bit sloppy... problem went away for a month.
>> Problem
>> returned after that but this time usb connection was solid.
>>
>> When I tried to pay for pctools product using https the web page
>> would
>> appear back as transaction incomplete, credit card showed 4 copies
>> of the
>> product.
>>
>> Anyways I"ve had to change credit card, cancel isp and email and I've
>> had
>> enough...thanks for your time and interest.
>>
>> I live in an isolated community way in the bush, people come to me
>> to fix
>> their computors. No one complained yet and the machines were clean,
>> but
>> yesterday I had to go to a big city some 400 miles away, while doing
>> some
>> business ,there was 4 or 5 customers with me waiting in line to be
>> served.
>> Got to talking computors, 3 of them said that they were doing the
>> same as me.
>> unplugging the machines. One young fellow said "So what ?" " don't
>> bother
>> with firewalls, viruses, etc., etc., Just reformat once a month who
>> cares
>> what is on the machine."
>>
>> "Kerry Brown" wrote:
>>
>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message
>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
>>> > Entire Conversation:
>>> > http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
>>> >
>>> >
>>> >
>>> > Kerry Brown wrote:
>>> >> It sounds like your router may have been compromised.
>>> >>
>>> >> Unplug one of your computers from the router. Do a clean install
>>> >> of
>>> >> Windows on this computer making sure you delete all partitions
>>> >> then
>>> >> recreate them during the install. Leave this computer unplugged
>>> >> from the router. Don't worry about updating it just yet. On a
>>> >> different computer download the latest firmware for your router.
>>> >> Burn this file to a CD or copy it to a flash drive. Make sure
>>> >> there
>>> >> are no other files on the CD or flash drive. Unplug all of the
>>> >> computers from the router. Unplug the router from the Internet.
>>> >> Reset the router to the factory defaults. Plug in the computer
>>> >> with
>>> >> the fresh Windows install. Use it to flash the router with the
>>> >> downloaded firmware. Reset the router again. Set a password for
>>> >> the
>>> >> admin account. Plug the router back in to the Internet and update
>>> >> this computer. Do not plug in any of the other computers until
>>> >> they
>>> >> have been wiped clean and a fresh install of Windows done.
>>> >> The key is to flash the router with a clean computer then set a
>>> >> password on the router before reconnecting to the Internet.
>>> >
>>> > BoaterDave wrote:
>>> >> I feel there is much merit in what you say. FYI I did raise this
>>> >> topic here
>>> >> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
>>> >> before I became persona non grata at AumHa.
>>> >> Are you aware of any way to check whether or not a router has
>>> >> been
>>> >> compromised - *before* one follows the procedure you have
>>> >> outlined.
>>> >> I should be interested to learn more about this subject. Do you
>>> >> (or
>>> >> anyone else reading here) have any pointers as to where to begin?
>>> >>
>>> >> I found this item which I found interesting - others may too:-
>>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>>> >>
>>> >> A fairly recent news item here, too:
>>> >> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
>>> >
>>> > While I know of no way to find out if a router has been
>>> > compromised - if
>>> > there is even one ounce of suspicion that it could have been
>>> > compromised -
>>> > it would be better to reset the router to defaults, set a new
>>> > password
>>> > (strong one) on it, leave remote management turned off, make sure
>>> > wireless
>>> > (if a feature of said router) is using WPA or WPA2 at least for
>>> > security,
>>> > etc.
>>> >
>>> > What makes that even better is doing that 'offline' - the router
>>> > does not
>>> > need a Internet connection for any of that.
>>> >
>>> > In this particular case (that where the original poster seems to
>>> > have been
>>> > targeted in some way - or overlooking some part of re-securing
>>> > their
>>> > entire system (not just the computer)) - the advice is spot-on in
>>> > my
>>> > opinion. Start from the first piece of equipment you can control
>>> > and work
>>> > your way through to the last - keeping them all 'offline' until
>>> > you have
>>> > changed the setup on all of them and secured them to the best of
>>> > your
>>> > ability.
>>> >
>>>
>>>
>>> There's currently two exploits for routers I know of. They both
>>> change the
>>> DNS servers the router uses to compromised DNS servers. This means
>>> whatever
>>> url you type in isn't necessarily where you end up. They can use the
>>> compromised DNS servers to send you wherever they want. You type in
>>> www.google.com and end up at some malware site that tries every
>>> trick in the
>>> book to get more malware on your computer or more likely a site that
>>> is full
>>> of advertising where you are enticed to click on ad links while
>>> trying to
>>> get to where you wanted to go in the first place. It's a vicious
>>> circle.
>>> Every legitimate site you try to go to you're redirected to a
>>> non-legitimate
>>> site. They can even let you get to legitimate online AV sites to
>>> scan the
>>> computer. Because the router is compromised, not the computer, all
>>> the AV
>>> scans come up negative. The original trojan that compromised the
>>> router has
>>> long since erased itself.
>>>
>>> One exploit is a trojan that probes common IP addresses for a
>>> router. If it
>>> finds one it takes advantage of the fact that most people never set
>>> a
>>> password on the router and reprograms the DNS settings. The trojan
>>> tries a
>>> few common passwords as well as no password. Setting a strong
>>> password on
>>> the router admin account stops this exploit.
>>>
>>> The other exploit uses a flaw in some older versions of Flash to
>>> change the
>>> router's DNS settings via uPNP. All they have to do is trick you
>>> into
>>> watching an infected Flash video. You go to what looks like a normal
>>> website
>>> with some streaming video. While watching the video your router is
>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on
>>> the router
>>> stops this exploit.
>>>
>>> Doing a hard reset of the router is probably enough to fix a changed
>>> DNS
>>> setting. I have seen a couple of cases on networks that had highly
>>> compromised computers where someone or something had tried to flash
>>> the
>>> router unsuccessfully and the router was toast. This tells me there
>>> may be
>>> an exploit that tries to flash a router. That's why I recommended
>>> flashing
>>> the router.
>>>
>>> --
>>> Kerry Brown
>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>> http://www.vistahelp.ca/phpBB2/
>>>
>>>
>>>
>
 
K

Kerry Brown

I am aware of those possible exploits. Have you seen them in the wild? I
haven't. They would require quite an involved program to figure what router
and firmware revision was in use. AFAIK most current routers have firmware
updates available to protect against some of this. The exploits are
certainly possible. If they are possible I'm sure malware authors are
working on exploiting them. How successful they will be remains to be seen.
The only exploits I've seen in the wild are the two I mentioned in an
earlier post. Both are easily stopped. In the future this may not be true.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



"jen" <jen@example.com> wrote in message
news:uWE4gtriIHA.5280@TK2MSFTNGP02.phx.gbl...
> Have you read these reports?
>
> Hacking The Interwebs:
> http://www.gnucitizen.org/blog/hacking-the-interwebs/
> Holes in Embedded Devices: Authentication bypass (pt 4):
> http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4/
> Router Hacking Challenge:
> http://www.gnucitizen.org/projects/router-hacking-challenge/
>
> -jen
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...
>> Reformatting once a month is a bit drastic. Keeping all your programs up
>> to date including an AV, and using common sense when surfing is
>> sufficient for most people. Router exploits are thankfully quite rare and
>> easily protected against so far.
>>
>> --
>> Kerry Brown
>> MS-MVP - Windows Desktop Experience: Systems Administration
>> http://www.vistahelp.ca/phpBB2/
>>
>>
>>
>> "sweathog" <sweathog@discussions.microsoft.com> wrote in message
>> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...
>>> Thanks for the help all you guys...but flashing the router was one of
>>> the
>>> first things I tried,and you are correct the router is now toast,somehow
>>> the
>>> mac address of it went to 00 00 00 00 00 00 and it won't let me back
>>> in...although it still passes traffic.
>>>
>>> Afew other symptoms, when I first noticed the problem usb mouse would
>>> freeze, (nothing wrong with the mouse) quickly switching usb ports would
>>> reactivate it. Thought it was a hardware problem because the connection
>>> to
>>> the motherboard was a bit sloppy... problem went away for a month.
>>> Problem
>>> returned after that but this time usb connection was solid.
>>>
>>> When I tried to pay for pctools product using https the web page would
>>> appear back as transaction incomplete, credit card showed 4 copies of
>>> the
>>> product.
>>>
>>> Anyways I"ve had to change credit card, cancel isp and email and I've
>>> had
>>> enough...thanks for your time and interest.
>>>
>>> I live in an isolated community way in the bush, people come to me to
>>> fix
>>> their computors. No one complained yet and the machines were clean, but
>>> yesterday I had to go to a big city some 400 miles away, while doing
>>> some
>>> business ,there was 4 or 5 customers with me waiting in line to be
>>> served.
>>> Got to talking computors, 3 of them said that they were doing the same
>>> as me.
>>> unplugging the machines. One young fellow said "So what ?" " don't
>>> bother
>>> with firewalls, viruses, etc., etc., Just reformat once a month who
>>> cares
>>> what is on the machine."
>>>
>>> "Kerry Brown" wrote:
>>>
>>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message
>>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>> > Entire Conversation:
>>>> > http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
>>>> >
>>>> >
>>>> >
>>>> > Kerry Brown wrote:
>>>> >> It sounds like your router may have been compromised.
>>>> >>
>>>> >> Unplug one of your computers from the router. Do a clean install of
>>>> >> Windows on this computer making sure you delete all partitions then
>>>> >> recreate them during the install. Leave this computer unplugged
>>>> >> from the router. Don't worry about updating it just yet. On a
>>>> >> different computer download the latest firmware for your router.
>>>> >> Burn this file to a CD or copy it to a flash drive. Make sure there
>>>> >> are no other files on the CD or flash drive. Unplug all of the
>>>> >> computers from the router. Unplug the router from the Internet.
>>>> >> Reset the router to the factory defaults. Plug in the computer with
>>>> >> the fresh Windows install. Use it to flash the router with the
>>>> >> downloaded firmware. Reset the router again. Set a password for the
>>>> >> admin account. Plug the router back in to the Internet and update
>>>> >> this computer. Do not plug in any of the other computers until they
>>>> >> have been wiped clean and a fresh install of Windows done.
>>>> >> The key is to flash the router with a clean computer then set a
>>>> >> password on the router before reconnecting to the Internet.
>>>> >
>>>> > BoaterDave wrote:
>>>> >> I feel there is much merit in what you say. FYI I did raise this
>>>> >> topic here
>>>> >> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
>>>> >> before I became persona non grata at AumHa.
>>>> >> Are you aware of any way to check whether or not a router has been
>>>> >> compromised - *before* one follows the procedure you have outlined.
>>>> >> I should be interested to learn more about this subject. Do you (or
>>>> >> anyone else reading here) have any pointers as to where to begin?
>>>> >>
>>>> >> I found this item which I found interesting - others may too:-
>>>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>>>> >>
>>>> >> A fairly recent news item here, too:
>>>> >> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
>>>> >
>>>> > While I know of no way to find out if a router has been compromised -
>>>> > if
>>>> > there is even one ounce of suspicion that it could have been
>>>> > compromised -
>>>> > it would be better to reset the router to defaults, set a new
>>>> > password
>>>> > (strong one) on it, leave remote management turned off, make sure
>>>> > wireless
>>>> > (if a feature of said router) is using WPA or WPA2 at least for
>>>> > security,
>>>> > etc.
>>>> >
>>>> > What makes that even better is doing that 'offline' - the router does
>>>> > not
>>>> > need a Internet connection for any of that.
>>>> >
>>>> > In this particular case (that where the original poster seems to have
>>>> > been
>>>> > targeted in some way - or overlooking some part of re-securing their
>>>> > entire system (not just the computer)) - the advice is spot-on in my
>>>> > opinion. Start from the first piece of equipment you can control and
>>>> > work
>>>> > your way through to the last - keeping them all 'offline' until you
>>>> > have
>>>> > changed the setup on all of them and secured them to the best of your
>>>> > ability.
>>>> >
>>>>
>>>>
>>>> There's currently two exploits for routers I know of. They both change
>>>> the
>>>> DNS servers the router uses to compromised DNS servers. This means
>>>> whatever
>>>> url you type in isn't necessarily where you end up. They can use the
>>>> compromised DNS servers to send you wherever they want. You type in
>>>> www.google.com and end up at some malware site that tries every trick
>>>> in the
>>>> book to get more malware on your computer or more likely a site that is
>>>> full
>>>> of advertising where you are enticed to click on ad links while trying
>>>> to
>>>> get to where you wanted to go in the first place. It's a vicious
>>>> circle.
>>>> Every legitimate site you try to go to you're redirected to a
>>>> non-legitimate
>>>> site. They can even let you get to legitimate online AV sites to scan
>>>> the
>>>> computer. Because the router is compromised, not the computer, all the
>>>> AV
>>>> scans come up negative. The original trojan that compromised the router
>>>> has
>>>> long since erased itself.
>>>>
>>>> One exploit is a trojan that probes common IP addresses for a router.
>>>> If it
>>>> finds one it takes advantage of the fact that most people never set a
>>>> password on the router and reprograms the DNS settings. The trojan
>>>> tries a
>>>> few common passwords as well as no password. Setting a strong password
>>>> on
>>>> the router admin account stops this exploit.
>>>>
>>>> The other exploit uses a flaw in some older versions of Flash to change
>>>> the
>>>> router's DNS settings via uPNP. All they have to do is trick you into
>>>> watching an infected Flash video. You go to what looks like a normal
>>>> website
>>>> with some streaming video. While watching the video your router is
>>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the
>>>> router
>>>> stops this exploit.
>>>>
>>>> Doing a hard reset of the router is probably enough to fix a changed
>>>> DNS
>>>> setting. I have seen a couple of cases on networks that had highly
>>>> compromised computers where someone or something had tried to flash the
>>>> router unsuccessfully and the router was toast. This tells me there may
>>>> be
>>>> an exploit that tries to flash a router. That's why I recommended
>>>> flashing
>>>> the router.
>>>>
>>>> --
>>>> Kerry Brown
>>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>>> http://www.vistahelp.ca/phpBB2/
>>>>
>>>>
>>>>
>>
>
>
 
J

jen

When you get time, you may be interested in these two podcasts :)
GNUCITIZEN on PaulDotCom:
The best security podcast on the Web.
http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-GNUCITIZENpart1.mp3
http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-GNUCITIZENpart2.mp3
http://www.gnucitizen.org/blog/gnucitizen-on-pauldotcom/

-jen

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:8CEFAE8B-E1C7-41DA-96C6-59ABE7976434@microsoft.com...
>I am aware of those possible exploits. Have you seen them in the wild?
>I haven't. They would require quite an involved program to figure what
>router and firmware revision was in use. AFAIK most current routers
>have firmware updates available to protect against some of this. The
>exploits are certainly possible. If they are possible I'm sure malware
>authors are working on exploiting them. How successful they will be
>remains to be seen. The only exploits I've seen in the wild are the two
>I mentioned in an earlier post. Both are easily stopped. In the future
>this may not be true.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
>
>
> "jen" <jen@example.com> wrote in message
> news:uWE4gtriIHA.5280@TK2MSFTNGP02.phx.gbl...
>> Have you read these reports?
>>
>> Hacking The Interwebs:
>> http://www.gnucitizen.org/blog/hacking-the-interwebs/
>> Holes in Embedded Devices: Authentication bypass (pt 4):
>> http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4/
>> Router Hacking Challenge:
>> http://www.gnucitizen.org/projects/router-hacking-challenge/
>>
>> -jen
>>
>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>> news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...
>>> Reformatting once a month is a bit drastic. Keeping all your
>>> programs up to date including an AV, and using common sense when
>>> surfing is sufficient for most people. Router exploits are
>>> thankfully quite rare and easily protected against so far.
>>>
>>> --
>>> Kerry Brown
>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>> http://www.vistahelp.ca/phpBB2/
>>>
>>>
>>>
>>> "sweathog" <sweathog@discussions.microsoft.com> wrote in message
>>> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...
>>>> Thanks for the help all you guys...but flashing the router was one
>>>> of the
>>>> first things I tried,and you are correct the router is now
>>>> toast,somehow the
>>>> mac address of it went to 00 00 00 00 00 00 and it won't let me
>>>> back
>>>> in...although it still passes traffic.
>>>>
>>>> Afew other symptoms, when I first noticed the problem usb mouse
>>>> would
>>>> freeze, (nothing wrong with the mouse) quickly switching usb ports
>>>> would
>>>> reactivate it. Thought it was a hardware problem because the
>>>> connection to
>>>> the motherboard was a bit sloppy... problem went away for a month.
>>>> Problem
>>>> returned after that but this time usb connection was solid.
>>>>
>>>> When I tried to pay for pctools product using https the web page
>>>> would
>>>> appear back as transaction incomplete, credit card showed 4 copies
>>>> of the
>>>> product.
>>>>
>>>> Anyways I"ve had to change credit card, cancel isp and email and
>>>> I've had
>>>> enough...thanks for your time and interest.
>>>>
>>>> I live in an isolated community way in the bush, people come to me
>>>> to fix
>>>> their computors. No one complained yet and the machines were clean,
>>>> but
>>>> yesterday I had to go to a big city some 400 miles away, while
>>>> doing some
>>>> business ,there was 4 or 5 customers with me waiting in line to be
>>>> served.
>>>> Got to talking computors, 3 of them said that they were doing the
>>>> same as me.
>>>> unplugging the machines. One young fellow said "So what ?" " don't
>>>> bother
>>>> with firewalls, viruses, etc., etc., Just reformat once a month who
>>>> cares
>>>> what is on the machine."
>>>>
>>>> "Kerry Brown" wrote:
>>>>
>>>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message
>>>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>> > Entire Conversation:
>>>>> > http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
>>>>> >
>>>>> >
>>>>> >
>>>>> > Kerry Brown wrote:
>>>>> >> It sounds like your router may have been compromised.
>>>>> >>
>>>>> >> Unplug one of your computers from the router. Do a clean
>>>>> >> install of
>>>>> >> Windows on this computer making sure you delete all partitions
>>>>> >> then
>>>>> >> recreate them during the install. Leave this computer unplugged
>>>>> >> from the router. Don't worry about updating it just yet. On a
>>>>> >> different computer download the latest firmware for your
>>>>> >> router.
>>>>> >> Burn this file to a CD or copy it to a flash drive. Make sure
>>>>> >> there
>>>>> >> are no other files on the CD or flash drive. Unplug all of the
>>>>> >> computers from the router. Unplug the router from the Internet.
>>>>> >> Reset the router to the factory defaults. Plug in the computer
>>>>> >> with
>>>>> >> the fresh Windows install. Use it to flash the router with the
>>>>> >> downloaded firmware. Reset the router again. Set a password for
>>>>> >> the
>>>>> >> admin account. Plug the router back in to the Internet and
>>>>> >> update
>>>>> >> this computer. Do not plug in any of the other computers until
>>>>> >> they
>>>>> >> have been wiped clean and a fresh install of Windows done.
>>>>> >> The key is to flash the router with a clean computer then set a
>>>>> >> password on the router before reconnecting to the Internet.
>>>>> >
>>>>> > BoaterDave wrote:
>>>>> >> I feel there is much merit in what you say. FYI I did raise
>>>>> >> this
>>>>> >> topic here
>>>>> >> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
>>>>> >> before I became persona non grata at AumHa.
>>>>> >> Are you aware of any way to check whether or not a router has
>>>>> >> been
>>>>> >> compromised - *before* one follows the procedure you have
>>>>> >> outlined.
>>>>> >> I should be interested to learn more about this subject. Do you
>>>>> >> (or
>>>>> >> anyone else reading here) have any pointers as to where to
>>>>> >> begin?
>>>>> >>
>>>>> >> I found this item which I found interesting - others may too:-
>>>>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>>>>> >>
>>>>> >> A fairly recent news item here, too:
>>>>> >> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
>>>>> >
>>>>> > While I know of no way to find out if a router has been
>>>>> > compromised - if
>>>>> > there is even one ounce of suspicion that it could have been
>>>>> > compromised -
>>>>> > it would be better to reset the router to defaults, set a new
>>>>> > password
>>>>> > (strong one) on it, leave remote management turned off, make
>>>>> > sure wireless
>>>>> > (if a feature of said router) is using WPA or WPA2 at least for
>>>>> > security,
>>>>> > etc.
>>>>> >
>>>>> > What makes that even better is doing that 'offline' - the router
>>>>> > does not
>>>>> > need a Internet connection for any of that.
>>>>> >
>>>>> > In this particular case (that where the original poster seems to
>>>>> > have been
>>>>> > targeted in some way - or overlooking some part of re-securing
>>>>> > their
>>>>> > entire system (not just the computer)) - the advice is spot-on
>>>>> > in my
>>>>> > opinion. Start from the first piece of equipment you can control
>>>>> > and work
>>>>> > your way through to the last - keeping them all 'offline' until
>>>>> > you have
>>>>> > changed the setup on all of them and secured them to the best of
>>>>> > your
>>>>> > ability.
>>>>> >
>>>>>
>>>>>
>>>>> There's currently two exploits for routers I know of. They both
>>>>> change the
>>>>> DNS servers the router uses to compromised DNS servers. This means
>>>>> whatever
>>>>> url you type in isn't necessarily where you end up. They can use
>>>>> the
>>>>> compromised DNS servers to send you wherever they want. You type
>>>>> in
>>>>> www.google.com and end up at some malware site that tries every
>>>>> trick in the
>>>>> book to get more malware on your computer or more likely a site
>>>>> that is full
>>>>> of advertising where you are enticed to click on ad links while
>>>>> trying to
>>>>> get to where you wanted to go in the first place. It's a vicious
>>>>> circle.
>>>>> Every legitimate site you try to go to you're redirected to a
>>>>> non-legitimate
>>>>> site. They can even let you get to legitimate online AV sites to
>>>>> scan the
>>>>> computer. Because the router is compromised, not the computer, all
>>>>> the AV
>>>>> scans come up negative. The original trojan that compromised the
>>>>> router has
>>>>> long since erased itself.
>>>>>
>>>>> One exploit is a trojan that probes common IP addresses for a
>>>>> router. If it
>>>>> finds one it takes advantage of the fact that most people never
>>>>> set a
>>>>> password on the router and reprograms the DNS settings. The trojan
>>>>> tries a
>>>>> few common passwords as well as no password. Setting a strong
>>>>> password on
>>>>> the router admin account stops this exploit.
>>>>>
>>>>> The other exploit uses a flaw in some older versions of Flash to
>>>>> change the
>>>>> router's DNS settings via uPNP. All they have to do is trick you
>>>>> into
>>>>> watching an infected Flash video. You go to what looks like a
>>>>> normal website
>>>>> with some streaming video. While watching the video your router is
>>>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on
>>>>> the router
>>>>> stops this exploit.
>>>>>
>>>>> Doing a hard reset of the router is probably enough to fix a
>>>>> changed DNS
>>>>> setting. I have seen a couple of cases on networks that had highly
>>>>> compromised computers where someone or something had tried to
>>>>> flash the
>>>>> router unsuccessfully and the router was toast. This tells me
>>>>> there may be
>>>>> an exploit that tries to flash a router. That's why I recommended
>>>>> flashing
>>>>> the router.
>>>>>
>>>>> --
>>>>> Kerry Brown
>>>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>>>> http://www.vistahelp.ca/phpBB2/
>>>>>
>>>>>
>>>>>
>>>
>>
>>
>
 
B

BoaterDave

Do you, by any chance, have a Hewlett Packard printer?

Dave

"sweathog" <sweathog@discussions.microsoft.com> wrote in message
news:7D3BFB82-ACC8-4E18-BF8B-55772D9EA4C4@microsoft.com...
> It is really as I said, there is no security. If this is all microsoft has
> as
> an answer. Watch your active x when downloading free programs.... big deal
> !
> How about wuacle.exe which is the windows update program being modified
> right
> from a clean format and install,after your done with the instalation cd.
> You
> need the active x to run that and you certainly need the updates.
>
> How about including the 92 security patches in new os instalation cds so
> you
> don't have to go on-line to get them as a solution instead.
>
> I'd buy a mac if I was certain that it couldn't also be dns cache
> poisoning.
>
> To hell with it don't bother replying.
>
> sweathog
>
> "PA Bear [MS MVP]" wrote:
>
>> So How Did I Get Infected Anyway?
>> http://www.wilderssecurity.com/showthread.php?t=27971
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L http://dts-l.net/
>>
>> sweathog wrote:
>> > 4 firwalls/antivirus products in one month. I've come the the
>> > conclusion
>> > that there is no security on the internet beyond unplugging your
>> > machines
>> > permanently. I reformated 3 computors 5 times, reinstalled the
>> > windows
>> > xp
>> > sp2 and updated, and even went so far as to change the mac addresses on
>> > the
>> > network cards. Within days windows system security settings,and product
>> > firewalls would change and it would be downhill from there,not counting
>> > the
>> > money spent.
>> >
>> > In conclusion I've had to cancel my personal isp and email account,what
>> > was
>> > happening was that I would get these trial versions of security
>> > software
>> > both downloaded and cds, like them, buy them using https and then they
>> > would send me email confirmation and a link to download the full
>> > versions.
>> >
>> > Someone had cracked my email and was sending me to spoofed websites. It
>> > didn't matter how often I would reformat and reinstal the os after I
>> > found
>> > this out and NOT use the email.
>> >
>> > My question is how is this possible that this hacker could still track
>> > me?
>>
>>
>
 
B

BoaterDave

Thank you, Jen.

I listened to all. Very interesting. (and frightening, too!)

BD

"jen" <jen@example.com> wrote in message
news:ODnOrusiIHA.6092@TK2MSFTNGP06.phx.gbl...
> When you get time, you may be interested in these two podcasts :)
> GNUCITIZEN on PaulDotCom:
> The best security podcast on the Web.
> http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-GNUCITIZENpart1.mp3
> http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-GNUCITIZENpart2.mp3
> http://www.gnucitizen.org/blog/gnucitizen-on-pauldotcom/
>
> -jen
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:8CEFAE8B-E1C7-41DA-96C6-59ABE7976434@microsoft.com...
>>I am aware of those possible exploits. Have you seen them in the wild? I
>>haven't. They would require quite an involved program to figure what
>>router and firmware revision was in use. AFAIK most current routers have
>>firmware updates available to protect against some of this. The exploits
>>are certainly possible. If they are possible I'm sure malware authors are
>>working on exploiting them. How successful they will be remains to be
>>seen. The only exploits I've seen in the wild are the two I mentioned in
>>an earlier post. Both are easily stopped. In the future this may not be
>>true.
>>
>> --
>> Kerry Brown
>> MS-MVP - Windows Desktop Experience: Systems Administration
>> http://www.vistahelp.ca/phpBB2/
>>
>>
>>
>> "jen" <jen@example.com> wrote in message
>> news:uWE4gtriIHA.5280@TK2MSFTNGP02.phx.gbl...
>>> Have you read these reports?
>>>
>>> Hacking The Interwebs:
>>> http://www.gnucitizen.org/blog/hacking-the-interwebs/
>>> Holes in Embedded Devices: Authentication bypass (pt 4):
>>> http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4/
>>> Router Hacking Challenge:
>>> http://www.gnucitizen.org/projects/router-hacking-challenge/
>>>
>>> -jen
>>>
>>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>>> news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...
>>>> Reformatting once a month is a bit drastic. Keeping all your programs
>>>> up to date including an AV, and using common sense when surfing is
>>>> sufficient for most people. Router exploits are thankfully quite rare
>>>> and easily protected against so far.
>>>>
>>>> --
>>>> Kerry Brown
>>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>>> http://www.vistahelp.ca/phpBB2/
>>>>
>>>>
>>>>
>>>> "sweathog" <sweathog@discussions.microsoft.com> wrote in message
>>>> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...
>>>>> Thanks for the help all you guys...but flashing the router was one of
>>>>> the
>>>>> first things I tried,and you are correct the router is now
>>>>> toast,somehow the
>>>>> mac address of it went to 00 00 00 00 00 00 and it won't let me back
>>>>> in...although it still passes traffic.
>>>>>
>>>>> Afew other symptoms, when I first noticed the problem usb mouse would
>>>>> freeze, (nothing wrong with the mouse) quickly switching usb ports
>>>>> would
>>>>> reactivate it. Thought it was a hardware problem because the
>>>>> connection to
>>>>> the motherboard was a bit sloppy... problem went away for a month.
>>>>> Problem
>>>>> returned after that but this time usb connection was solid.
>>>>>
>>>>> When I tried to pay for pctools product using https the web page would
>>>>> appear back as transaction incomplete, credit card showed 4 copies of
>>>>> the
>>>>> product.
>>>>>
>>>>> Anyways I"ve had to change credit card, cancel isp and email and I've
>>>>> had
>>>>> enough...thanks for your time and interest.
>>>>>
>>>>> I live in an isolated community way in the bush, people come to me to
>>>>> fix
>>>>> their computors. No one complained yet and the machines were clean,
>>>>> but
>>>>> yesterday I had to go to a big city some 400 miles away, while doing
>>>>> some
>>>>> business ,there was 4 or 5 customers with me waiting in line to be
>>>>> served.
>>>>> Got to talking computors, 3 of them said that they were doing the same
>>>>> as me.
>>>>> unplugging the machines. One young fellow said "So what ?" " don't
>>>>> bother
>>>>> with firewalls, viruses, etc., etc., Just reformat once a month who
>>>>> cares
>>>>> what is on the machine."
>>>>>
>>>>> "Kerry Brown" wrote:
>>>>>
>>>>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message
>>>>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>>> > Entire Conversation:
>>>>>> > http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Kerry Brown wrote:
>>>>>> >> It sounds like your router may have been compromised.
>>>>>> >>
>>>>>> >> Unplug one of your computers from the router. Do a clean install
>>>>>> >> of
>>>>>> >> Windows on this computer making sure you delete all partitions
>>>>>> >> then
>>>>>> >> recreate them during the install. Leave this computer unplugged
>>>>>> >> from the router. Don't worry about updating it just yet. On a
>>>>>> >> different computer download the latest firmware for your router.
>>>>>> >> Burn this file to a CD or copy it to a flash drive. Make sure
>>>>>> >> there
>>>>>> >> are no other files on the CD or flash drive. Unplug all of the
>>>>>> >> computers from the router. Unplug the router from the Internet.
>>>>>> >> Reset the router to the factory defaults. Plug in the computer
>>>>>> >> with
>>>>>> >> the fresh Windows install. Use it to flash the router with the
>>>>>> >> downloaded firmware. Reset the router again. Set a password for
>>>>>> >> the
>>>>>> >> admin account. Plug the router back in to the Internet and update
>>>>>> >> this computer. Do not plug in any of the other computers until
>>>>>> >> they
>>>>>> >> have been wiped clean and a fresh install of Windows done.
>>>>>> >> The key is to flash the router with a clean computer then set a
>>>>>> >> password on the router before reconnecting to the Internet.
>>>>>> >
>>>>>> > BoaterDave wrote:
>>>>>> >> I feel there is much merit in what you say. FYI I did raise this
>>>>>> >> topic here
>>>>>> >> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
>>>>>> >> before I became persona non grata at AumHa.
>>>>>> >> Are you aware of any way to check whether or not a router has been
>>>>>> >> compromised - *before* one follows the procedure you have
>>>>>> >> outlined.
>>>>>> >> I should be interested to learn more about this subject. Do you
>>>>>> >> (or
>>>>>> >> anyone else reading here) have any pointers as to where to begin?
>>>>>> >>
>>>>>> >> I found this item which I found interesting - others may too:-
>>>>>> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>>>>>> >>
>>>>>> >> A fairly recent news item here, too:
>>>>>> >> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
>>>>>> >
>>>>>> > While I know of no way to find out if a router has been
>>>>>> > compromised - if
>>>>>> > there is even one ounce of suspicion that it could have been
>>>>>> > compromised -
>>>>>> > it would be better to reset the router to defaults, set a new
>>>>>> > password
>>>>>> > (strong one) on it, leave remote management turned off, make sure
>>>>>> > wireless
>>>>>> > (if a feature of said router) is using WPA or WPA2 at least for
>>>>>> > security,
>>>>>> > etc.
>>>>>> >
>>>>>> > What makes that even better is doing that 'offline' - the router
>>>>>> > does not
>>>>>> > need a Internet connection for any of that.
>>>>>> >
>>>>>> > In this particular case (that where the original poster seems to
>>>>>> > have been
>>>>>> > targeted in some way - or overlooking some part of re-securing
>>>>>> > their
>>>>>> > entire system (not just the computer)) - the advice is spot-on in
>>>>>> > my
>>>>>> > opinion. Start from the first piece of equipment you can control
>>>>>> > and work
>>>>>> > your way through to the last - keeping them all 'offline' until you
>>>>>> > have
>>>>>> > changed the setup on all of them and secured them to the best of
>>>>>> > your
>>>>>> > ability.
>>>>>> >
>>>>>>
>>>>>>
>>>>>> There's currently two exploits for routers I know of. They both
>>>>>> change the
>>>>>> DNS servers the router uses to compromised DNS servers. This means
>>>>>> whatever
>>>>>> url you type in isn't necessarily where you end up. They can use the
>>>>>> compromised DNS servers to send you wherever they want. You type in
>>>>>> www.google.com and end up at some malware site that tries every trick
>>>>>> in the
>>>>>> book to get more malware on your computer or more likely a site that
>>>>>> is full
>>>>>> of advertising where you are enticed to click on ad links while
>>>>>> trying to
>>>>>> get to where you wanted to go in the first place. It's a vicious
>>>>>> circle.
>>>>>> Every legitimate site you try to go to you're redirected to a
>>>>>> non-legitimate
>>>>>> site. They can even let you get to legitimate online AV sites to scan
>>>>>> the
>>>>>> computer. Because the router is compromised, not the computer, all
>>>>>> the AV
>>>>>> scans come up negative. The original trojan that compromised the
>>>>>> router has
>>>>>> long since erased itself.
>>>>>>
>>>>>> One exploit is a trojan that probes common IP addresses for a router.
>>>>>> If it
>>>>>> finds one it takes advantage of the fact that most people never set a
>>>>>> password on the router and reprograms the DNS settings. The trojan
>>>>>> tries a
>>>>>> few common passwords as well as no password. Setting a strong
>>>>>> password on
>>>>>> the router admin account stops this exploit.
>>>>>>
>>>>>> The other exploit uses a flaw in some older versions of Flash to
>>>>>> change the
>>>>>> router's DNS settings via uPNP. All they have to do is trick you into
>>>>>> watching an infected Flash video. You go to what looks like a normal
>>>>>> website
>>>>>> with some streaming video. While watching the video your router is
>>>>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the
>>>>>> router
>>>>>> stops this exploit.
>>>>>>
>>>>>> Doing a hard reset of the router is probably enough to fix a changed
>>>>>> DNS
>>>>>> setting. I have seen a couple of cases on networks that had highly
>>>>>> compromised computers where someone or something had tried to flash
>>>>>> the
>>>>>> router unsuccessfully and the router was toast. This tells me there
>>>>>> may be
>>>>>> an exploit that tries to flash a router. That's why I recommended
>>>>>> flashing
>>>>>> the router.
>>>>>>
>>>>>> --
>>>>>> Kerry Brown
>>>>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>>>>> http://www.vistahelp.ca/phpBB2/
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>
>>>
>>
>
>
>
 
You must log in or register to reply here.

Similar threads

G
Unable to change hacked account's email! I recovered my account by getting a password reset BUT I can't change the email the hacker put in my account
Replies
0
Views
59
Gavin888
G
J
My account got hacked by rambler.ru and found the complete email
Replies
0
Views
37
Justin Monreal
J
W
Hacked and locked account recovery
Replies
0
Views
50
Will_Hel
W
W
Hacked and locked account recovery
Replies
0
Views
51
Will_Hel
W
P
How to remove hackers details
Replies
0
Views
47
Patrick Keaney
P
Back
Top Bottom