Reading online newsclipping this morning, I clicked on a business article
Google News clipped for me and found nothing but the subject entry at the
top. Since I'm still recovering from virus attack to my main machine, I'm
parinoid. Can anyone tell me what this is? Do I have anything to worry
about? My Symantic SystemWorks suit of programs is running full force and
gave me no signal.

jaygreg wrote:
Web errors are spooky!

Huh? A properly flattened and rebuilt system shouldn't exhibit such
behaviour.

Why should it do so?

Response too criptic. What is the implication of a message that reads
"Cwings was here?"


"Sebastian Gottschalk" <seppi@seppig.de> wrote in message
news:4gskj5F1ohb0lU1@news.dfncis.de...

jaygreg wrote:
That either some malicious guy or an incompetent administrator fucked up
something.

Maybe it's also Symantec SystemWorks randomly fucking up everything,
just as it's supposed to do.

"jaygreg" <jaygreg90@hotmail.com> writes:

Well I gotta say that your original post wasn't really a hallmark of
clarity. #include <glasshouses.h> and all.

But on a more helpful note, I think what Sebastian was emphasizing is
that the only proper way to recover from a malware infection is to
reformat the drive and reinstall from original media. Doing anything
less leaves the door open to your still being owned.

"Cwings was here," depending on where you saw it may indicate a
website was defaced. It could mean you're still owned. It's hard to
tell with what you've described which. If it was a specific site you
visited, if you post the URL perhaps others can help you distinguish
as to whether the message you saw was indicative of a web site being
defaced, or your own machine still having malware on it.


If you're worried about your machine, do the right thing and reformat
your drive, and reinstall your OS and apps from original media, apply
all security updates from behind a very tightly configured hardware
firewall, and go from there.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H. wrote:

Nitpick: With the pretty unjustified assumption that you carefully
utilized least privilege users, the damage is limited to the user's
account and all his files.

Sebastian Gottschalk <seppi@seppig.de> writes:

Yeah, pretty unjustified assumption indeed. Especially give the
original poster's headers:
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409

On that OS, an attacker owns a user and then can typically DLL inject
their way to Admin without much added effort.

--
Todd H.
http://www.toddh.net/

Todd H. wrote:
DLL inject? Pretty unlikely, as it requires admin rights in first place
- did you mean DLL redirection? More likely he will misuse wrong ACLs on
system services, or generally send arbitrary keystrokes whenever a CMD
shell with admin rights is invoked.

Sebastian Gottschalk <seppi@seppig.de> writes:
pwdump2 uses dll injection according to the authors of the program in
the readme. Wanna call it redirection instead, go nuts. The attack
piggybacks off the lsass process, yes. It does not require the user
who attacks this way to have admin rights. The bad guys get the
password hashes, they crack the password hashes quickly with rainbow
tables and voila, administrator accesss.

I left at word misspelled for ya if you'd like to point that out in
your next followup.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H. wrote:

pwdump2 doesn't work as non-admin.

Would you please utilize Google if the terminology isn't clear to you?

It does, it does.

Too bad that rainbow tables don't work against NTLM hashes. And if
you've got an LM hash, you're pissed off anyway.