Security Problems. [Pro's only]

Lydesia

I recently had a bad security problem involving a service called 'Firedeamon' which was installed on my computer without my permission. This all happened after i installed windows ISS to test server-side code on my local machine. But unfortunatly you cannot seem to be able to do anything these days without some script kiddy messing with your data.

Fact: Someone installed firedeamon using my local server and disabled my Sygate firewall, corrupting Windows firewall and activating the guest account to remotely access my machine.

Since this had occured i have had terrible internet related problems, whenever i log-on i get the "This connection had limited or no connectivity" message for both my DSL router (connected VIA USB) and my LAN wireless router (which im connected via LAN cable, the family connects wirelessly) But i am still able to connect to the internet sometimes, its moody, but i presume its through the USB from the DSL router. So why am i telling you all this?....

Security! im getting more concerned about it. I have Sygate personal firewall pro on my system, a decent fw (i thought). In the options i have everything set to on except DLL fingerprinting. I mean stealth, Anti-IP and MAC spoofing ect ect. Earlier on i went onto the Symantec site and did their online threat assesment. In the results no ports came back in stealth, some were closed and some were very much open to my surprise. Thats including Telnet, Ping, FTP, HTTP for incoming transmissions etc. I manually configured to block the ports in SPF but i still get the same result back. I also tried a test on the Sygate site and it came back with these results:

Web Server Found = Server: RomPager/4.07 UPnP/1.0
Telnet Open = Password:
FTP Server Open = 220 p623r-t1 FTP version 1.0 ready at Sat Jan 01 14:18:10 2000

Another thing i wanted to bring up was a strange problem, if i plug in my LAN cable my computer completly freeze's. It wont respond because the CPU sticks at 100% permanatly and gets 10 degrees hotter until i litrally have to reboot. Its so under pressure it takes about 2 minutes to move the mouse in a direction you moved it too. The process that seems to be doing this is svchost.exe as far as i can tell. Any ideas why this is happening? Im really at my wits end with this, my machine is custom made by me (AMD 64 3500+, 400GB RAID 0) If you need any more info i can post it up.

So basically im looking for someone with any information i could use. Any advice on what i should do or look for? How do i hide these ports and completly get rid of ISS so it wont happen again? Why is my LAN so screwed up? I really appreciate your help...

P.

matu

to unistall ISS. Go to control panel, add remove programs, windows components and uncheck iss. You may need your windows xp cd in the drive.

As for the ports that are open....port 80, ftp, telnet etc etc ....they are grand. Those are standard ports. I wouldn't worry too much about them. Have you tried running an anti virus scan and a anti spyware scan?

matu

that message you are getting about limited or no connectivity...to disable that message....go to network connections, right click on LAN, select properties and then uncheck the bottom box there.

Lydesia

matu wrote:

to unistall ISS. Go to control panel, add remove programs, windows components and uncheck iss. You may need your windows xp cd in the drive.

I did that. But there are still traces of a local server set-up, as the scan revealed. I was told a Telnet port should never be open unless you are using it for Telnet comms, which im not. Plus port 80 should only be open for outgoing connections. I do appreciate the feedback though, thanks.

dalk

If i was you... i would backup your data, and low level format that box. The firedaemon install and open ftp etc is fairly obvious, but there could be a nice steathly root kit installed, backdoor etc that would be harder to find and get rid of. Its a pain but often it is quicker to start from scratch than researching and fix problems...

You will also have to check out any other PC's on the network as they could have been compromised first and used as the conduit to attacking that PC...

Lydesia

I actually have backed up my data.
I decided to do a format last week so i could start from stratch, i tried to do a full install of windows, but when i reboot i just get the "Blue screen of death" error. :[ SO a full format may be the only option, have you any suggestions for a format tool? P.

CHeers btw

gline

Lydesia wrote:

I actually have backed up my data.
I decided to do a format last week so i could start from stratch, i tried to do a full install of windows, but when i reboot i just get the "Blue screen of death" error. :[ SO a full format may be the only option, have you any suggestions for a format tool? P.

CHeers btw

i know maxtor do a tool on their website

_Kaiser_

gline wrote:

i know maxtor do a tool on their website

Most of the major hard disk manufacturers do the same. Get the one appropriate for your drive.

SwampThing

Lydesia, I can sympatise here - I've been hit over the weekend and have similar problems - network connections problems (right-click and repair just hangs), little or no web connectivity, general slowness to ordinary tasks.
It all started after running an .exe that I knew I shouldn't and regretted it the minute I did.

I've put an amount of effort into restoring the system, the final hurdle I thought was a disabled desktop background, but even after fixing that, the network issues started. I was hoping it was a BT issue over the weekend but my gut is that the machine is riddled. It's not even getting an IP address from the router at present, so seems to me the IP stack is fecked. I'll double-check the router this evening with another PC but tbh, I'm pretty much resigned to a 'format c:'

Anyway, not much help I know, but you're not alone.

blorg

If you are reinstalling the OS (Windows XP?) you just need to boot from the CD drive and it will give you the option of repartitioning and reformatting the drive as part of the install process, no specialised 'format tool' needed.

DemonOfTheFall

If my PC got that owned by some hacker I would just reformat the drive, no questions asked. I wouldn't trust it to ever be clean again, never know what crap they could have hidden around your system if they got root.

ressem

It looks like those services are those of the DSL router (a Zyxel prestige 623 correct?), not your PC.
These must not be accessible from the net, only from LAN. (Or in your case from only the USB connected PC). Manual should tell you how to set this.

Firedaemon is only a way of running another program as a service. Might be worth looking up the firedaemon entries in the registry to find what program it was actually running.

Edit. Zyxel is dual interface. Disconnect the USB.
Connect to the routers management interface.
Make sure NAT is active (SUA only).
In remote management
Disable Telnet
Set FTP and Web to LAN only
Disable UPnP

Having both interfaces connected at the same time might produce confusing routing.
You have changed the password on the device?

As for the network issues.
Can you open a console and enter netstat -ba to see which programs are making connections to what addresses.