[SunHELP] How I got hacked over the weekend.

Naresh Narang sunhelp at sunhelp.org
Mon May 7 23:05:54 CDT 2001 

This is a multi-part message in MIME format.

------=_NextPart_000_0014_01C0D739.8173C6D0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Hi,

        Thought it might help.
   =20
    I am subscribed to CheckPoint mailing list. I got a mail from there =
in response to one of my mails. The reply said "Take a look at the =
attachment". This mail had an attachment and there was no virus in it. I =
opened the attachment and it just terminated with an error. I deleted =
this mail.

     Later after a reboot, I saw weird things happening. The mails from =
Inbox of my Outlook Express were going to the Outbox with the same =
attachment that I had received before. Fortunately my outgoing =
mailserver setting was wrong and there mails were not delivered.=20

  I searched this attachment in my computer but it was not there. Then I =
had a look at the memory contents and there were some suspicious looking =
programs. I had a look at the processes running and found that there =
were some servers running that I would not expect. Apparently these =
servers were installed in my system by the hacker to gain access. There =
were two processes INETD.exe and KERN32.exe. I found these files and =
their DLLs in C:\WinNT and c:\WinNT\system32 directories. I removed =
these files and the DLLs and their entries from the registry. The =
problems with system were gone. The attachment I got had an extension of =
.pif and MP3.pif

Please do not open any attachment that you do not expect or it is =
suspicious looking, even if it does not contain virus. Although there =
may be a firewall and outside access is blocked for Internal Network, =
the potential problem is that if this kind of servers get installed and =
it initiates a connection from Internal Network to hacker.=20


Regards,
Naresh

------=_NextPart_000_0014_01C0D739.8173C6D0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>        =
Thought it=20
might help.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>    </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>    I am subscribed to =
CheckPoint=20
mailing list. I got a mail from there in response to one of my mails. =
The reply=20
said "Take a look at the attachment". This mail had an attachment and =
there was=20
no virus in it. I opened the attachment and it just terminated with an =
error. I=20
deleted this mail.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>     Later after a =
reboot, I=20
saw weird things happening. The mails from Inbox of my Outlook Express =
were=20
going to the Outbox with the same attachment that I had received =
before.=20
Fortunately my outgoing mailserver setting was wrong and there mails =
were not=20
delivered. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>  I searched this attachment in my =
computer=20
but it was not there. Then I had a look at the memory contents and there =
were=20
some suspicious looking programs. I had a look at the processes running =
and=20
found that there were some servers running that I would not expect. =
Apparently=20
these servers were installed in my system by the hacker to gain access. =
There=20
were two processes INETD.exe and KERN32.exe. I found these files and =
their DLLs=20
in C:\WinNT and c:\WinNT\system32 directories. I removed these files and =
the=20
DLLs and their entries from the registry. The problems with system were =
gone.=20
The attachment I got had an extension of .pif and MP3.pif</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Please do not open any attachment that =
you do not=20
expect or it is suspicious looking, even if it does not contain virus. =
Although=20
there may be a firewall and outside access is blocked for Internal =
Network, the=20
potential problem is that if this kind of servers get installed and it =
initiates=20
a connection from Internal Network to hacker. </FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Regards,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Naresh</FONT></DIV></BODY></HTML>

------=_NextPart_000_0014_01C0D739.8173C6D0--


NetZero Platinum
No Banner Ads and Unlimited Access
Sign Up Today - Only $9.95 per month!
http://www.netzero.net

More information about the SunHELP mailing list