Cwings was here?

Discussion in 'Computer Security' started by jaygreg, Jul 3, 2006.

  1. jaygreg

    jaygreg Guest

    Reading online newsclipping this morning, I clicked on a business article
    Google News clipped for me and found nothing but the subject entry at the
    top. Since I'm still recovering from virus attack to my main machine, I'm
    parinoid. Can anyone tell me what this is? Do I have anything to worry
    about? My Symantic SystemWorks suit of programs is running full force and
    gave me no signal.
    jaygreg, Jul 3, 2006
    #1
    1. Advertising

  2. jaygreg wrote:
    > Reading online newsclipping this morning, I clicked on a business
    > article Google News clipped for me and found nothing but the subject
    > entry at the top.


    Web errors are spooky!

    > Since I'm still recovering from virus attack to my main machine, I'm
    > parinoid.


    Huh? A properly flattened and rebuilt system shouldn't exhibit such
    behaviour.

    > My Symantic SystemWorks suit of programs is running full force and
    > gave me no signal.


    Why should it do so?
    Sebastian Gottschalk, Jul 3, 2006
    #2
    1. Advertising

  3. jaygreg

    jaygreg Guest

    Response too criptic. What is the implication of a message that reads
    "Cwings was here?"


    "Sebastian Gottschalk" <> wrote in message
    news:...
    > jaygreg wrote:
    > > Reading online newsclipping this morning, I clicked on a business
    > > article Google News clipped for me and found nothing but the subject
    > > entry at the top.

    >
    > Web errors are spooky!
    >
    > > Since I'm still recovering from virus attack to my main machine, I'm
    > > parinoid.

    >
    > Huh? A properly flattened and rebuilt system shouldn't exhibit such
    > behaviour.
    >
    > > My Symantic SystemWorks suit of programs is running full force and
    > > gave me no signal.

    >
    > Why should it do so?
    jaygreg, Jul 3, 2006
    #3
  4. jaygreg wrote:
    > Response too criptic. What is the implication of a message that reads
    > "Cwings was here?"


    That either some malicious guy or an incompetent administrator fucked up
    something.

    Maybe it's also Symantec SystemWorks randomly fucking up everything,
    just as it's supposed to do.
    Sebastian Gottschalk, Jul 3, 2006
    #4
  5. jaygreg

    Todd H. Guest

    "jaygreg" <> writes:

    > Response too criptic. What is the implication of a message that reads
    > "Cwings was here?"


    Well I gotta say that your original post wasn't really a hallmark of
    clarity. #include <glasshouses.h> and all.

    But on a more helpful note, I think what Sebastian was emphasizing is
    that the only proper way to recover from a malware infection is to
    reformat the drive and reinstall from original media. Doing anything
    less leaves the door open to your still being owned.

    "Cwings was here," depending on where you saw it may indicate a
    website was defaced. It could mean you're still owned. It's hard to
    tell with what you've described which. If it was a specific site you
    visited, if you post the URL perhaps others can help you distinguish
    as to whether the message you saw was indicative of a web site being
    defaced, or your own machine still having malware on it.


    If you're worried about your machine, do the right thing and reformat
    your drive, and reinstall your OS and apps from original media, apply
    all security updates from behind a very tightly configured hardware
    firewall, and go from there.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
    Todd H., Jul 3, 2006
    #5
  6. Todd H. wrote:

    > If you're worried about your machine, do the right thing and reformat
    > your drive, and reinstall your OS and apps from original media, apply
    > all security updates from behind a very tightly configured hardware
    > firewall, and go from there.


    Nitpick: With the pretty unjustified assumption that you carefully
    utilized least privilege users, the damage is limited to the user's
    account and all his files.
    Sebastian Gottschalk, Jul 3, 2006
    #6
  7. jaygreg

    Todd H. Guest

    Sebastian Gottschalk <> writes:

    > Todd H. wrote:
    >
    > > If you're worried about your machine, do the right thing and reformat
    > > your drive, and reinstall your OS and apps from original media, apply
    > > all security updates from behind a very tightly configured hardware
    > > firewall, and go from there.

    >
    > Nitpick: With the pretty unjustified assumption that you carefully
    > utilized least privilege users, the damage is limited to the user's
    > account and all his files.


    Yeah, pretty unjustified assumption indeed. Especially give the
    original poster's headers:
    X-Newsreader: Microsoft Outlook Express 6.00.2800.1409

    On that OS, an attacker owns a user and then can typically DLL inject
    their way to Admin without much added effort.

    --
    Todd H.
    http://www.toddh.net/
    Todd H., Jul 3, 2006
    #7
  8. Todd H. wrote:
    > Sebastian Gottschalk <> writes:
    >
    >> Todd H. wrote:
    >>
    >>> If you're worried about your machine, do the right thing and reformat
    >>> your drive, and reinstall your OS and apps from original media, apply
    >>> all security updates from behind a very tightly configured hardware
    >>> firewall, and go from there.

    >> Nitpick: With the pretty unjustified assumption that you carefully
    >> utilized least privilege users, the damage is limited to the user's
    >> account and all his files.

    >
    > Yeah, pretty unjustified assumption indeed. Especially give the
    > original poster's headers:
    > X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    >
    > On that OS, an attacker owns a user and then can typically DLL inject
    > their way to Admin without much added effort.


    DLL inject? Pretty unlikely, as it requires admin rights in first place
    - did you mean DLL redirection? More likely he will misuse wrong ACLs on
    system services, or generally send arbitrary keystrokes whenever a CMD
    shell with admin rights is invoked.
    Sebastian Gottschalk, Jul 4, 2006
    #8
  9. jaygreg

    Todd H. Guest

    Sebastian Gottschalk <> writes:
    > Todd H. wrote:
    > > Sebastian Gottschalk <> writes:
    > >
    > >> Todd H. wrote:
    > >>
    > >>> If you're worried about your machine, do the right thing and reformat
    > >>> your drive, and reinstall your OS and apps from original media, apply
    > >>> all security updates from behind a very tightly configured hardware
    > >>> firewall, and go from there.
    > >> Nitpick: With the pretty unjustified assumption that you carefully
    > >> utilized least privilege users, the damage is limited to the user's
    > >> account and all his files.

    > >
    > > Yeah, pretty unjustified assumption indeed. Especially give the
    > > original poster's headers:
    > > X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    > >
    > > On that OS, an attacker owns a user and then can typically DLL inject
    > > their way to Admin without much added effort.

    >
    > DLL inject? Pretty unlikely, as it requires admin rights in first place
    > - did you mean DLL redirection? More likely he will misuse wrong ACLs on
    > system services, or generally send arbitrary keystrokes whenever a CMD
    > shell with admin rights is invoked.


    pwdump2 uses dll injection according to the authors of the program in
    the readme. Wanna call it redirection instead, go nuts. The attack
    piggybacks off the lsass process, yes. It does not require the user
    who attacks this way to have admin rights. The bad guys get the
    password hashes, they crack the password hashes quickly with rainbow
    tables and voila, administrator accesss.

    I left at word misspelled for ya if you'd like to point that out in
    your next followup.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
    Todd H., Jul 4, 2006
    #9
  10. Todd H. wrote:

    >> DLL inject? Pretty unlikely, as it requires admin rights in first
    >> place - did you mean DLL redirection? More likely he will misuse
    >> wrong ACLs on system services, or generally send arbitrary
    >> keystrokes whenever a CMD shell with admin rights is invoked.

    >
    > pwdump2 uses dll injection according to the authors of the program in
    > the readme.


    pwdump2 doesn't work as non-admin.

    > Wanna call it redirection instead,


    Would you please utilize Google if the terminology isn't clear to you?

    > The attack piggybacks off the lsass process, yes. It does not
    > require the user who attacks this way to have admin rights.


    It does, it does.

    > The bad guys get the password hashes, they crack the password hashes
    > quickly with rainbow tables


    Too bad that rainbow tables don't work against NTLM hashes. And if
    you've got an LM hash, you're pissed off anyway.
    Sebastian Gottschalk, Jul 4, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HackaX0rus

    glad to bere here

    HackaX0rus, Jun 27, 2005, in forum: The Lounge
    Replies:
    8
    Views:
    1,644
    unholy
    Jul 4, 2005
  2. neko138

    heyo Neko is here!

    neko138, Sep 8, 2005, in forum: The Lounge
    Replies:
    25
    Views:
    3,019
    unholy
    Sep 12, 2005
  3. =?Utf-8?B?S2VycnkgU25vdw==?=

    Here's My Story

    =?Utf-8?B?S2VycnkgU25vdw==?=, Oct 12, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    601
  4. =?Utf-8?B?Umljaw==?=

    O.K. novice at work here!! Please advise..

    =?Utf-8?B?Umljaw==?=, Dec 23, 2004, in forum: Wireless Networking
    Replies:
    8
    Views:
    581
    Carey Holzman
    Dec 24, 2004
  5. -->AL

    Here a good laugh on Novell --> NT

    -->AL, Mar 29, 2005, in forum: Wireless Networking
    Replies:
    7
    Views:
    440
    Phillip Windell
    Mar 29, 2005
Loading...

Share This Page