Printer port hacked

Prologue

What started with my printer got serious; my intruder was no kid wanting to excercise his joystick gaming. My system was set up as a server IIS, SMTP, TELNET files found. "Client" access provided for his buddies to get in too. My lack of technical knowledge led from computer shop masquerading as qualified (wiped H/D five times in 45 days only to bring the box home and within 15 minutes he was in again.) Learned valuable lessons about security. The REAL pro's found hundreds of movie/music files and so much more - hacker using me for what they call a "mule" to cover tracks and just plain storage. There is lots of money for "them" to make from pirated software. Peace.

 

Thanks for posting back.

And that sounds moderately horrible. How did you get things fixed?

 

dbltrbl

This has been an educational post for most of the people who doubted you had any problem. I didn't comment earlier because I figured you were in good hands.

This points out the hazards of being on-line and shows that there is some bases that Zone Alarm doesn't cover.

I have looked for better protection but I usually end up finding it costs much more and is too bothersome.

My best defense has evolved to killing the power to my cable modem when not being used. It's outboard and easy to switch separately.

I also use GoBack and an interesting side benefit of it is, it records the hard disk activity in a user accessible GUI log. It's easy to spot strange activity and I've been alerted of spyware several times that way.

Post back any interesting developements and lessons learned, methods used, please.

Good kuck.

 

Not really because I don't understand what happened or how it happened There are two aspects in particular which flummox me:-

1) Why the AV scan(s) failed to detect any remote administration tool(s);

2) How remote access was obtained after the formatting of the HDD and installation of the firewall (but see below);

The only base which ZA does not cover is that of user incaution. Remote access to a firewalled machine can only be gained if the user installs some form of remote administration tool (such as Netbus) to which (s)he then grants the necessary firewall permissions.

It would indeed be interesting to know more!

 

Newt, Zephyr, Brett

Too late, I learned wiping a HD meant removing all data, re-format, reload O/S and all applicable patches. In a prior service with another shop, they additionally updated drivers and even installed the most current versions of S/W. The 5X charlatans simply deleted or uninstalled large blocks of files, then reinstalled the O/S. What remained were previously planted executables which were remotely (telephony) reawakened to do their dirty work. Keystroke logs insured he did not have to be monitoring when I came online, as they gave every file changed, deleted, or worked with in any way. Physically, the interior of the tower should have been checked and contents recorded on each visit. Besides being an inately curious owner, my first clues to look further were a drastic reduction in usable H/D space and a major slowdown in Broadband speed. W98 was bid farewell in preference to W2K; preferred by the Pro techs as being better security-oriented. Zephyr, ZA is history. I was so gullible as to initially miss that it had been "emulated" and that I was responding to false dialogue box prompts. That alone convinced me to bid it Adios. A hardware, as well as software, firewall along with a stiffer O/S also assist. I don't take anything for granted now and consider it just part of cyber "housekeeping" to check out massive MB's added to H/D volume. User "incaution" had nothing to do with it. "Intruder" and his minions continually change servers (thereby changing their IP designation.)
I should have (every visit) made sure the box was checked for alien doodads. Tweaking the system settings being done now. The Catch-22 of security as tight as you can get is configuration so you can't easily use your own system.
Microsoft suggested paying extra every month for a more-frequent rollover of IP numbers. The hardest request of the Pro's for me to honor was to sit back (with hard/soft firewalls running) and wait to log ID'ing IP and MAC numbers). Patience eventually paid off.
Any opinion as to the security vulnerability inherent in file sharing?

 

"Any opinion as to the security vulnerability inherent in file sharing? "
Internet file sharing or file sharing within your local LAN?

Sounds like you got hit by some pretty savvy critters. But even in that case, a really good firewall such as Black Ice (and probably others) can be set to do the usual of closing most ports (which means nothing can leak back out) and allowing others but can also be set to monitor the type of packets trying to enter/exit ports you have open and to only allow certain types.

For instance, set port 80 to open so you can do browsing but also set it to only allow HTTP packets.

 

Newt

Thanks for the suggestion. My visitor has Windows backwards and forwards but I stop short of bestowing "respect "; what a waste of knowledge. He interacted with me. I deleted one of "his" files and immediately the following happened as I watched my monitor: The blue IE icon on the left Quick Launch bar went POOF, replaced with a generic Windows sheet of paper with the upper right corner folded down, no center colored icon. Then, next to the clock, the ZA icon went POOF, replaced by the same generic Windows icon. I immediately tried to go to the Control Panel for Internet Explorer repair and received this response; what looked like an absolutely bonafide Windows dialogue response box appeared with nothing else but "Access Denied!" in the center of it.