Threatened with Hack/Now Weird Internet Traffic

Status
Not open for further replies.
Apparently it is possible to actually tag a computer's hardware. Some kind of UID (Unique ID) from either his CPU, motherboard, etc. Or maybe they can somehow find his MAC after he gets a new IP over and over. He connected to his work through telenet, and whatever rootkit was used was spread to over 10,000 machines, work stations, servers, and computers that were remote accessed (Tech support), everyone in his address book, all got hit with this. He lost his job over it.

What ever way it was tagged, I'd like Jay Beale to explain that one :)
 
Rouen said:
Apparently it is possible to actually tag a computer's hardware. Some kind of UID (Unique ID) from either his CPU, motherboard, etc. Or maybe they can somehow find his MAC after he gets a new IP over and over. He connected to his work through telenet, and whatever rootkit was used was spread to over 10,000 machines, work stations, servers, and computers that were remote accessed (Tech support), everyone in his address book, all got hit with this. He lost his job over it.

What ever way it was tagged, I'd like Jay Beale to explain that one :)
Click to expand...

Yes it's possible to find the unique ID of your computer hardware from a remote machine, especially the MAC address. But I wouldn't necessary say anything is left on his computer that you can't get rid of that someone can remotely do as I was assuming you said in the previous post but you have made it clear on this one.

The only way to effective get rid of a rootkit is to format and reinstall, anyone who tells you to use a rootkit scanner/detection software doesn't really understand how rootkit work. They are pretty **** hard to get rid of and expensive to monitor.

What I think was the attacker kept record of his computer information (Msinfo32.exe), if his IP changes they can just find that out since you said he has a myspace account which I assume he visit frequently. This shouldn't be a problem if he was behind a good firewall router with a clean OS and no malware and some basic protection. But he is running a honeypot, which is an invitation, and he should be fire in my book because you don't run a honeypot in your home network along with your production computer. If you don't know what you're doing, it can be a hacker's gateway into your company network.
 
When I told my stepmother that I was considering running a honey pot out of home (I ordered umpteen books on Snort/Ethereal/Visual Basic.net/HoneyPots for Windows and Unix) she had repeated this to the Hopkin's grad who does tech work for her company, which is a non profit organization. When she brought it up to him, she said "First thing he did after I said honey pot, his eyes glazed a bit, and he said 'They screwed me...' " That was in reference to the incident on his home network that I brought up.

Yes I know that the MAC is pretty much hard burned on your network card, with the exception that now that manufacturers have run out of MAC addresses and they are reusing some, you can obtain software from the vendor to change your MAC address. With the exception of a frequently visited site (Such as myspace), how does a hacker go about tracking someone's MAC address when the OS is a clean slate and the IP has changed? (Let's say that the ISP has changed too, for good measure) I want to know so that I can maybe make changes to my machine to somehow prevent that. I do tech work as a side job, and I'm currently in the process of creating registry scripts to harden Win XP Pro on my own, so I can keep my side job legit... too many people claming rights to programs/scripts, I dont make enough money to get sued lol.
 
Obviously no one wants to answer so just close this thread moderator.

Thanks for the HELP.
 
Rouen, when you see that IP connecting to your computer, are you doing "netstat -an" to see what port they are connecting to? I know that you are doing nslookup to get their IP and that it is using a UDP packet, but maybe if you can see what port they are connecting to, you can stop whatever service it is and see if they get disconnected. If you know the port, then you can use a good port list and find out what program they are either running or trying to run. Just a thought.

Hope you find your answer.
 
Its random ports from various IP's hitting me at the same time with ICMP's. My reg fix keeps them from getting replys or the info they want, etc. I'm not worried so much about the ICMP packets as I am about the number of machines actually doing it in such unison. This is why I want to find out what it means to "connect an IP to a machine." The way it was said, its some kind of actually port connection, not a hack, worm, trojan, tracking MAC, msinfo32, etc. How do I found out if I'm being monitored, passively or actively?
 
Rouen said:
Its random ports from various IP's hitting me at the same time with ICMP's. My reg fix keeps them from getting replys or the info they want, etc. I'm not worried so much about the ICMP packets as I am about the number of machines actually doing it in such unison. This is why I want to find out what it means to "connect an IP to a machine." The way it was said, its some kind of actually port connection, not a hack, worm, trojan, tracking MAC, msinfo32, etc. How do I found out if I'm being monitored, passively or actively?
Click to expand...

It's not that we don't want to help you; it's just that the scope of the problem isn't easy to tell. I get all sorts of scans and pings from different network all around the world trying to probe for open ports on my network from what my router is logging. But I never have to worry because I maintain these computers and I know that theyÂ’re clean and not infected and updated with the latest patches and softwares. Also monitoring your network activity with ethereal behind a router doesnÂ’t always determine whatÂ’s going on in your network and outside coming in, because most of the time the router block these ping and scans and since most modern home router are integrated with switch technology, youÂ’ll only capture broadcast packet and other that are only directed to you or initiated from you and back to you. If you like, you can connect a hub between the modem and router and set a computer on the hub with ethereal for monitoring; of course there would be a tremendous amount of traffic but with the filter feature with ethereal you can narrow things down a little. And if your router has a logging feature you can also enable that and itÂ’ll store the log on a computer for you or you can find software that help monitor your router.

I just wanted to know, did you just find out about these pings and scan after you were threaten then you install ethereal to find out what might be going on? Because as I said before, we get paranoid and donÂ’t realize these thing are already happening long before. ItÂ’s just someone doing a ping, scan on your ISP network for open ports or vulnerability. Everyone get these all the time.

EDIT: You dont' need any software to change your MAC address, just a simple registry hack or device manager. Google spoof MAC address.
 
I run gentoo linux and I change my MAC all the time using a simple entry in my net configuration file.

Rouen, have you considered blocking ICMP packets on your firewall? I'm not sure what these guys are after, but that might help.

Also, about the MAC addresses, no TCP/IP stack protocol packet will contain the MAC address outside of the local router. RFC 1918 states that they can't. However, you can gather that information from a rootkit.
 
Status
Not open for further replies.

Similar threads

MemRefreshABC
Husband's Andriod Hacked by Outlaw MC!
Replies
6
Views
479
MemRefreshABC
MemRefreshABC
H
My battle with WPSpamAIBot1gpt
Replies
3
Views
774
hamsheena
H
S
How can I get faster Internet?
2
Replies
16
Views
2K
Harays04
H
E
Internet disconnects randomly
Replies
8
Views
1K
petergroft29
P
R
Vpn apps keep breaking my internet
Replies
1
Views
880
Scissorman
S
Back
Top Bottom