IDS: Re: Computer Security - Long message

["Matt Baudendistel" <mbauden@siue.edu>]

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Well if ports 12345 and 31337 are open you have Back Orifice and NetBus
clients installed on your system start by getting rid of that. If your
company has static IP addresses the easiest way of proving that this person
is messing with your system is to ether get a program that logs the IP
address of anyone connecting to your machine of a quick and messy way of
doing this is to leave NetBus and back orifice on your system and when you
come in one day run the command (netstat -a 20 > c:\anyfilename ) this will
be memory intensive and will make one hell of a large file if you run it all
day but at the end of the day just open the file and search for 31337 or
12345 and the IP address next to it is the IP of your attacker now you have
proof.

--
Matt Baudendistel
Microsystems Support
Southern Illinois University of Edwardsville
mbauden@siue.edu

----- Original Message -----
From: Luiz da Camara Leme <camara.leme@mail.telepac.pt>
To: <ids@uow.edu.au>
Sent: Monday, April 19, 1999 2:31 PM
Subject: IDS: Computer Security - Long message


> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> NOTE: You MUST remove this line from reply messages as it will be
filtered.
> SPAM: DO NOT send unsolicted mail to this list.
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> --------------------------------------------------------------------------
-
>
> Hello Everyone,
>
> Sorry to disturb you with somewhat off topic subject, but I just run out
of
> ideas to cope with a very bad situation, and need someone with a
suggestion
> to keep on going with this misery.
>
> I must tell you that I am responsible for supervising the Company's
hardware
> and software but I am not a system administrator, and I lack a lot of
> knowledge I which I did have.
> I am loosing somewhere between 30 or 50 percent of my time with this
> problems.
>
> I will try to be as short as possible, making short a very long story,
only
> with a few major facts, enough only to put some questions in the end.
>
> For a few years I am battling a war against someone in the Company I work
> for, that has access to my computer (and I can't do nothing about it) and
> this fellow with the help of *technicians* of some sort, (outsiders)
started
> stealing whatever I did have in my computer.
> This was probably going on for years without having noticed it. The people
> that was doing this, started being careless, and revealed they  were
knowing
> things they were not supposed to, they were anticipating whatever I was
> doing, up to the point that I started to image someone was reading my
> thinking !!!
>
> ZIP drives carried in my pocket all the time was the first solution, with
> some strong encryption.
> The 6 an 7 January 1998 they were stolen, but with a lot of the files that
> could not be opened outside my own computer. This was a very bad thing but
> revealed, for sure, WHO was doing this, a person I imagined above all
> suspicions (its always the same isn't it ?).
> So a break in at the Company followed one day that I was sufficiently
> careless to leave the Company with my computer ON (I know I should know
> better !) and they opened some of the files, because the most sensitive
ones
> had double encryption with different programs, and they lack the second
and
> third keys.
>
> Some months before connected my computer to the NET, something I can't
give
> up, and one good day I started noticing that the computer was tremendously
> slow.
> Suggestions and software from the Net and I realized that a virus of some
> kind was  introduced in my HD's and everything I was writing was being
sent
> over the net. First copies of my files were being made and then sent over
> the lines...
> Again people showed that they even new when I was supposed to go to the
post
> office !
> This kind of virus (I think a kind of Trojan), resist detection with all
> software I could throw at it (I am a registered user of all Symantec
> software) and also resisted formatting. I had to have a technician to
format
> the MBR but I am not sure I got rid of the *animal*
>
> This *animal* made copies of all files I was making or manipulating in
> virtual folders. In a 100 MB Zip drive I was able to detect 32 MB of my
own
> files. They were made apparent by defragmenting all disks and then
deleting
> everything they had (apparently) just to find out what was left. The
bigger
> the use, the bigger the virtual folder.
>
> So the hard drives were put in drawers and I started carrying them all the
> time. Well, they just contaminate some disquetes I also used and I got to
> start all over again.
>
> When I circumvent this, they somehow started tampering the BIOS, and it
now
> prevents defragmentation  of HD's and Zip disks with whatever program I
try
> to do this. Windows, Norton Utilities etc. They *defragment* the hard
drives
> say everything is ok and the HD wasn't defragmented even 1 per cent. I
redo
> everything and its the same. ALL Company computers are in this situation.
> I reported the incidents in writing, but, because this can be undone by
the
> person who did it, I am even afraid of being called a liar if one good
they
> a test is done and everything appears ok ! (We all know what they will do
> nest !)
>
> TODAY, Saturday I was at the company and had to go out for lunch just for
> less then an hour, but carrying my HD's with me. Big mistake. Just 10
> minutes after I left the *animal* owner came in.
> I restarted my computer and looking and hearing at some anomalies at the
> start I immediately sensed danger. I was right, the Firewall does not work
> properly anymore. All ports but one at a time are not monitored, and only
> the outbound ports. No inbound ports are controlled.
>
> Here I go again...
>
> The logs are full of 12345, 31337/31338, and dozens others I do not know
its
> meaning and the Firewall states as Unknown, ports 53, 54 you name it. The
> logs have more warnings than traffic !
>
> Most of this files are already lost with the first formatting but a few
days
> of *work* and I have hundreds of pages of *warnings* again.
>
> I ordered some 32 pin ZIF Sockets for Flash EPROM's, and I will buy some
new
> BIOS and will carry them with me also.
>
> The HD is almost constantly *working* for no reason at all.
>
> The loss of ours and of personal files, over 2.8 GB of it, is preventing
me
> of doing my job as I should, and I am being attacked for this reason (by
the
> *animal* owner, who else ?)
>
> I simply run out of ideas, so I have some questions.
>
> 1. Is it possible to buy non flashable BIOS that could be tampered proof ?
> 2. Is there a way of preventing the use of the BIOS reserved memory for
> other purpose ?
> 3. Does anyone know any program that I could use to see whatever  is
inside
> of the BIOS ? I heard about one *Get BIOS* but its a very old DOS program.
> Anything else. (This would be really nice).
> 4. Apart from the BIOS and the BIOS reserved memory at the EPROM inside of
a
> normal computer is there any other possibility of interfering with its
work
> ?
> 5. I was told that the keyboard could also be tampered for password
> stealing. Is this correct ?
>
> Please also note that I was somehow intentionally vague because I don't
want
> to help this people, just in case that my mail goes to more places than I
> intend to (it's not impossible to do with this kind of *animals*).
>
> Hope there is someone that could give some idea on how to cope with this
> fellows!
>
> All the Best
> Luiz da Camara Leme
>
>
>
>
>