Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 06, 2016, 04:14:25 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: When a home server goes to the dark side: A hands on experience  (Read 3820 times)

wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,623
    • View Profile
    • Donate to Member
When a home server goes to the dark side: A hands on experience
« on: November 20, 2008, 04:51:47 PM »
NOTE: Watch for overuse of bold-ed words :P

When a home server goes to the dark side: A hands on experience - brought to you by your local forum idiot, wreckedcarzz!

I'm sure everyone here at DC has had the overjoying ... feeling (if you want to call it that) of knowing that your system has been hosed by a <insert malicious software type here>. But I figured I would give my experience here, just because it is a little on the oddball side.

I have a total of 6 (working) computers in my house, 5 connected to the internet. Of those 5, 3 are now equipped with security measures. As of 24 hours ago, 1 of them was equipped with similar measures. During those 24 hours, I experienced something that was both aggravating and frightening: my homebrew "home server", was the target of a seemingly random (and lucky) IP hit-and-run virus infection. Now that wouldn't be an issue if the target had been this PC (my gaming machine), that I recently got advice for on securing, because it is quite solidified now. The problem would lie elsewhere, due to my own fault and/or laziness.

Yesterday, November 19th, 2008:

I came home with a friend and was ready to play some COD4 on the LAN. No problem. We both booted the machines (he plays on the Gateway "server"), and loaded the map. But the Gateway timed out. This repeated for some time as I tweaked the console to enable longer timeouts, but the FPS was staggeringly low and map load times were at least 10x longer than normal. He asked to switch PCs so I could fix it, and I found that BOINC and LogMeIn had errors when I tried to start them. I ran the usual maintenance scheme (Cleaning, registry cleaning, reboot, prep for defrag) - but I didn't get to the defragment. When the computer rebooted, a command prompt window opened, touting the name "dl.exe". However a quick C+A+D reveals that the actual filename is (I'm guessing here, it has since been deleted) "nvbdl.exe". Hmm... but that file appears to be (according to its properties) a "Microsoft Windows Operating System" file. OK, it must be legitimate. I rebooted again and it reappeared, so I opened up the D:\ drive and launched the Spyware Terminator installer. Once again I get an error that it cannot start. This happens with ANY EXE in the folder, so I try something else. It launches fine. I managed to get Windows Defender to scan over the network, but it came up clean. Well... maybe... lets do a Windows XP Repair!

About 3 hours later, everything is the same, just Windows seems... better. As my friend leaves, I move the hard drive to my gaming computer and run a scan with Windows Defender (this time it is a local disk). Again, clean. I gave up for the night and concluded that "I did have a virus, and the only thing that hadn't gone wrong today was that my room hasn't caught fire [yet]".*

Today, November 20th, 2008:

I come home from school on early release and get to work on the Gateway. I put the hard drive back in the original machine and manage to get Firefox to load the Spyware Terminator download. 2 hours later, at over 1500 entries, ST has completed its scan and has quarantined the EXEs - if I had to guess, I would say at least 80% of them on the machine. It is a miracle that Windows' core files didn't take a beating. Maybe the Repair helped after all.

I'm currently running another "Full Spyware & Virus Scan", with nothing coming up, but the battle hasn't ended nearly that easily.

Following a recommendation I found here at DC, I downloaded and now use a great piece of software called GoodSync. It does a fantastic job. If you already know where this is going, you haven't seen half of it.

As I install Spyware Terminator and System Protect (related programs, same publisher) onto all the systems, the laptop starts to "freak out". Windows (GUI, not the OS) start to lag. The control panel throws a fit and won't respond. The installation pushes on.

An hour later, the laptop is still scanning with 555 virus entries and counting. Now, if you don't understand how the laptop was infected, it may help to know that:

  • The laptop syncs with the Gateway
  • The Gateway was still scanning and removing at laptop boot time
  • The laptop syncs at logon
  • The laptop only has Windows Defender and Windows Firewall

Therefore, while the Gateway was being rid of its viruses, the laptop was receiving them, but in a legitimate file sync.

The other computers' status are unknown, but appear clean.

The Gateway is still running its scan, and it is far from secure, but I guess that's the price of running a fileserver on an unsecured LAN (the computers, not the Wi-Fi) in the router's De-Militarized Zone (like I said, I'm lazy, and it hosts a LOT of games). Plus, Windows hadn't had it's non "Urgent" updates yet. It's like leaving the keys in front of the open door with a pot of gold in the living room. And I just got burglarized.


Moral of this story: Don't let this happen to you.


Now I'm off to go download and copy ALL those 40GB of files back onto the D:\ drive... oh boy, what a great week... :( :-\ :P

* On a side note, I had a REALLY crappy day
« Last Edit: November 20, 2008, 06:04:32 PM by wreckedcarzz »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,714
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #1 on: November 20, 2008, 07:11:03 PM »
Sounds like a nightmare! :(


wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,623
    • View Profile
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #2 on: November 20, 2008, 09:01:15 PM »
Just figured I would update, the server was recovered but the virus did irreversible damage to Windows Explorer and several other components. I am reformatting it now with the (original, 1.0) Windows XP disk. That won't take long to update! ;D

EDIT: I did beat it on 2/3 of the computers though, my gaming (main) PC and laptop made it out without significant damage. Simple re-installs of a couple apps will bring them back to full cycle again.
« Last Edit: November 20, 2008, 09:10:41 PM by wreckedcarzz »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #3 on: November 20, 2008, 09:35:43 PM »
What's the name of the malware? It's been a long time since I've seen anything that actually infects EXE files, these days it's mostly "just" a trojan+rookit. Pretty nasty getting your system hammered that bad.

Morale of the story? NEVER USE DMZ, be sure to have Windows Firewall enabled, and be careful what you synchronize... you really only should be syncing data files, not executables. Oh, and try to run as non-admin (on Vista: with UAC enabled) :)

I wonder how the malware got in, anyway. Your "server" was both DMZ and didn't have Windows Firewall? Does anybody ever use it for browsing, mails, etc?
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #4 on: November 20, 2008, 09:48:41 PM »
I am reformatting it now with the (original, 1.0) Windows XP disk. That won't take long to update! ;D

You might want to consider slipstreaming SP3 into XP before you reinstall. nlite is probably the easiest way to do that. Just a thought - and good luck. :)

wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,623
    • View Profile
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #5 on: December 01, 2008, 01:02:33 PM »
Late reply, I *just* got my 300 or so emails (I should check that more often) :P

What's the name of the malware? It's been a long time since I've seen anything that actually infects EXE files, these days it's mostly "just" a trojan+rookit. Pretty nasty getting your system hammered that bad.

Not sure. I couldn't ID it before I gave up, so I can't say. It was bad though - anything that ran was infected, and the infection had apparantly been there for several hours before anyone noticed (it seemed to show itself only at reboot). I guess it was idle for so long that it went on a rampage of some type and had a blast with my hard drives (one for Windows, downloads (all computers) and ĀµTorrent, and one for backups).

Morale of the story? NEVER USE DMZ, be sure to have Windows Firewall enabled, and be careful what you synchronize... you really only should be syncing data files, not executables. Oh, and try to run as non-admin (on Vista: with UAC enabled) :)

I wonder how the malware got in, anyway. Your "server" was both DMZ and didn't have Windows Firewall? Does anybody ever use it for browsing, mails, etc?

I sync my Visual Studio project folder through 3 computers - the EXEs that got through were compiled projects that were infected with the rest of the exes. The laptop was also reformatted, with a Vista disk I received in a trade last year (I tried 2 XP disks, and they won't work with the DVD drive ($150) that I bought for it, so I took a chance). Believe it or not, 1.6Ghz (single core, I might add!) and 512MB of RAM runs Home Premium without a hitch. Good thing I got a dedicated GPU though :)

I am reformatting it now with the (original, 1.0) Windows XP disk. That won't take long to update! ;D

You might want to consider slipstreaming SP3 into XP before you reinstall. nlite is probably the easiest way to do that. Just a thought - and good luck. :)

I was going to slipstream, but I simply didn't care enough to take the time to do so. I installed from scratch and updated to SP2 in about 45 minutes, and then let automatic updates have at it. I really should look into it though...

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #6 on: December 01, 2008, 06:22:06 PM »
I was going to slipstream, but I simply didn't care enough to take the time to do so. I installed from scratch and updated to SP2 in about 45 minutes, and then let automatic updates have at it. I really should look into it though...

Nah! Your approach is probably better for a single machine anyway. I try not to use the automatic update feature because I've usually got a lot of bandwidth tied up downloading Yet Another Linux Distro. (Really bad jones I've got - fer sure!)

I also have two sisters, so I've got something like eight separate family machines to support. That's why I use an offline update utility where I can download everything once, and then hump a CD or two over to each machine.

Get's me in and out a lot faster too! ;D


myarmor

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 82
    • View Profile
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #7 on: December 01, 2008, 07:11:29 PM »
Nothing beats having SP3 slipstreamed, followed by a run of Autopatcher for installing/updating multiple computers..

The gains of the latter is somewhat obvious even when you have only one though, as it only needs a single run/reboot in most cases..

wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,623
    • View Profile
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #8 on: December 01, 2008, 07:41:52 PM »
I have 6 working machines in my house, 5 of those are used on a regular basis, and 4 of those run Vista. It might be a better idea to make a Vista SP1 SS disk than an XP one, now that I think about it :P

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #9 on: December 02, 2008, 12:08:16 AM »
Late reply, I *just* got my 300 or so emails (I should check that more often) :P
I sync my Visual Studio project folder through 3 computers - the EXEs that got through were compiled projects that were infected with the rest of the exes.
Even then, how did the infection trigger? If you didn't actually run any of those infected EXEs, nothing should have happened just by sync'ing them.

You might want to consider slipstreaming SP3 into XP before you reinstall. nlite is probably the easiest way to do that. Just a thought - and good luck. :)
I was going to slipstream, but I simply didn't care enough to take the time to do so. I installed from scratch and updated to SP2 in about 45 minutes, and then let automatic updates have at it. I really should look into it though...
Installing a non-SP2 XP is a very very very bad idea if you don't have the box behind NAT... iirc the average time-to-infect unpatched XP through automated internet probes is around 10 minutes, which is faster than most people can apply the service pack.
- carpe noctem
« Last Edit: December 02, 2008, 12:09:57 AM by f0dder »

wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,623
    • View Profile
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #10 on: December 02, 2008, 12:05:39 PM »
I don't know, thats what is puzzling. It's like a random hit-and-miss IP scan and it just happened to hit me because of the setup, but then something executed it. The properties of the file DID say it was from Windows, I'm not sure I trust it, but maybe that's what got infected and Windows actually ended up screwing itself? :huh:

Just don't know HOW or WHEN... :tellme:

Also, the Linksys WRT300N (I'm getting the 350 this week :D) runs DD-WRT, with heavy security (minus DMZ (yea yea yea, this PC has security on it :P) and port forwarding). The SPI firewall and some filtering is enabled, but I'm not much of a router person. I remember something about NAT in one of the setup pages but I don't remember exactly what it did ... default settings. :-\

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: When a home server goes to the dark side: A hands on experience
« Reply #11 on: December 02, 2008, 06:09:16 PM »
Well, you can make file properties say anything you want - it wouldn't take many minutes making a malware.exe where file properties say it has been signed by bill gates himself :]
- carpe noctem