Main Area and Open Discussion > Living Room

When a home server goes to the dark side: A hands on experience

(1/3) > >>

wreckedcarzz:
NOTE: Watch for overuse of bold-ed words :P

When a home server goes to the dark side: A hands on experience - brought to you by your local forum idiot, wreckedcarzz!

I'm sure everyone here at DC has had the overjoying ... feeling (if you want to call it that) of knowing that your system has been hosed by a <insert malicious software type here>. But I figured I would give my experience here, just because it is a little on the oddball side.

I have a total of 6 (working) computers in my house, 5 connected to the internet. Of those 5, 3 are now equipped with security measures. As of 24 hours ago, 1 of them was equipped with similar measures. During those 24 hours, I experienced something that was both aggravating and frightening: my homebrew "home server", was the target of a seemingly random (and lucky) IP hit-and-run virus infection. Now that wouldn't be an issue if the target had been this PC (my gaming machine), that I recently got advice for on securing, because it is quite solidified now. The problem would lie elsewhere, due to my own fault and/or laziness.

Yesterday, November 19th, 2008:

I came home with a friend and was ready to play some COD4 on the LAN. No problem. We both booted the machines (he plays on the Gateway "server"), and loaded the map. But the Gateway timed out. This repeated for some time as I tweaked the console to enable longer timeouts, but the FPS was staggeringly low and map load times were at least 10x longer than normal. He asked to switch PCs so I could fix it, and I found that BOINC and LogMeIn had errors when I tried to start them. I ran the usual maintenance scheme (Cleaning, registry cleaning, reboot, prep for defrag) - but I didn't get to the defragment. When the computer rebooted, a command prompt window opened, touting the name "dl.exe". However a quick C+A+D reveals that the actual filename is (I'm guessing here, it has since been deleted) "nvbdl.exe". Hmm... but that file appears to be (according to its properties) a "Microsoft Windows Operating System" file. OK, it must be legitimate. I rebooted again and it reappeared, so I opened up the D:\ drive and launched the Spyware Terminator installer. Once again I get an error that it cannot start. This happens with ANY EXE in the folder, so I try something else. It launches fine. I managed to get Windows Defender to scan over the network, but it came up clean. Well... maybe... lets do a Windows XP Repair!

About 3 hours later, everything is the same, just Windows seems... better. As my friend leaves, I move the hard drive to my gaming computer and run a scan with Windows Defender (this time it is a local disk). Again, clean. I gave up for the night and concluded that "I did have a virus, and the only thing that hadn't gone wrong today was that my room hasn't caught fire [yet]".*

Today, November 20th, 2008:

I come home from school on early release and get to work on the Gateway. I put the hard drive back in the original machine and manage to get Firefox to load the Spyware Terminator download. 2 hours later, at over 1500 entries, ST has completed its scan and has quarantined the EXEs - if I had to guess, I would say at least 80% of them on the machine. It is a miracle that Windows' core files didn't take a beating. Maybe the Repair helped after all.

I'm currently running another "Full Spyware & Virus Scan", with nothing coming up, but the battle hasn't ended nearly that easily.

Following a recommendation I found here at DC, I downloaded and now use a great piece of software called GoodSync. It does a fantastic job. If you already know where this is going, you haven't seen half of it.

As I install Spyware Terminator and System Protect (related programs, same publisher) onto all the systems, the laptop starts to "freak out". Windows (GUI, not the OS) start to lag. The control panel throws a fit and won't respond. The installation pushes on.

An hour later, the laptop is still scanning with 555 virus entries and counting. Now, if you don't understand how the laptop was infected, it may help to know that:


* The laptop syncs with the Gateway
* The Gateway was still scanning and removing at laptop boot time
* The laptop syncs at logon
* The laptop only has Windows Defender and Windows Firewall
Therefore, while the Gateway was being rid of its viruses, the laptop was receiving them, but in a legitimate file sync.

The other computers' status are unknown, but appear clean.

The Gateway is still running its scan, and it is far from secure, but I guess that's the price of running a fileserver on an unsecured LAN (the computers, not the Wi-Fi) in the router's De-Militarized Zone (like I said, I'm lazy, and it hosts a LOT of games). Plus, Windows hadn't had it's non "Urgent" updates yet. It's like leaving the keys in front of the open door with a pot of gold in the living room. And I just got burglarized.


Moral of this story: Don't let this happen to you.


Now I'm off to go download and copy ALL those 40GB of files back onto the D:\ drive... oh boy, what a great week... :( :-\ :P

* On a side note, I had a REALLY crappy day

Deozaan:
Sounds like a nightmare! :(

wreckedcarzz:
Just figured I would update, the server was recovered but the virus did irreversible damage to Windows Explorer and several other components. I am reformatting it now with the (original, 1.0) Windows XP disk. That won't take long to update! ;D

EDIT: I did beat it on 2/3 of the computers though, my gaming (main) PC and laptop made it out without significant damage. Simple re-installs of a couple apps will bring them back to full cycle again.

f0dder:
What's the name of the malware? It's been a long time since I've seen anything that actually infects EXE files, these days it's mostly "just" a trojan+rookit. Pretty nasty getting your system hammered that bad.

Morale of the story? NEVER USE DMZ, be sure to have Windows Firewall enabled, and be careful what you synchronize... you really only should be syncing data files, not executables. Oh, and try to run as non-admin (on Vista: with UAC enabled) :)

I wonder how the malware got in, anyway. Your "server" was both DMZ and didn't have Windows Firewall? Does anybody ever use it for browsing, mails, etc?

40hz:
I am reformatting it now with the (original, 1.0) Windows XP disk. That won't take long to update! ;D
-wreckedcarzz (November 20, 2008, 09:01 PM)
--- End quote ---

You might want to consider slipstreaming SP3 into XP before you reinstall. nlite is probably the easiest way to do that. Just a thought - and good luck. :)

Navigation

[0] Message Index

[#] Next page