Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Worst Security Clean-Up You've Performed? 158

Posted by Cliff from the with-this-track-record-are-you-going-to-trust-vista dept.
nakhla writes "Last night, I was tasked (by my wife) to help fix her friend's computer. It is a Windows XP home system which has been running slowly, almost to the point of un-usability (like *that's* never happened before). It turns out that hundreds of random processes had filled up its meager 256 MB of RAM. The cause? Nearly 7,500 viruses and worms that had infected the system. That number doesn't even include the hundreds of spyware and adware programs that had installed themselves, as well. Although the box is now behind a firewall, that wasn't always the case. This was, by far, the most infected system I'd ever seen, but I'm sure it can't be the worst ever. What was the worst security cleanup you ever had to perform?"
This discussion has been archived. No new comments can be posted.

Worst Security Clean-Up You've Performed? More

Worst Security Clean-Up You've Performed?

Comments Filter:

  • Well, there was that one time... (Score:5, Funny)

    by Dr. Eggman ( 932300 ) on Friday November 10, 2006 @12:28AM (#16791150)
    Once, I saw a computer infected with Windows ME.

  • You Cleaned it Up? (Score:5, Insightful)

    by neoform ( 551705 ) <djneoform@gmail.com> on Friday November 10, 2006 @12:28AM (#16791154) Homepage
    With that many viruses, is it even possible to "clean" it?

    Hell, i do a reinstall if I get even 1 bad virus..
    • It was probaby just a small handful of viruses (at most) that infected 7500 files. I would seriously doubt that the poster had 7500 DIFFERENT viruses. I can also believe that, at most, dozens of spyware programs were installed, but not hundreds. Spyware programs frequently claim that each cookie and registry entry is spyware.

    • Re:You Cleaned it Up? (Score:5, Interesting)

      by rbochan ( 827946 ) on Friday November 10, 2006 @11:01AM (#16793624) Homepage
      Had these folks not too long ago that were getting phone calls and actual snail mail from their ISP telling them to take their computer off line and have it repaired. The ISP actualy did cut them off, because their machine was saturating the line all the time as a spambot and as a server for other bot infections.

      The machine was about a year old (and out of warranty, of course) - a 2.6 gig cpu with a gig of ram. It took almost 35 minutes to go from power off to the desktop. They had an antivirus that came with the machine, but the "free 90 day subscription" to it had run out long and they weren't aware of it, since that was one of the first things the malware went after. Their 16 year old son who loved to surf porn all the time didn't help matters. A machine like that really isn't worth the time to hunt and peck for individual pieces of malware and should wiped clean and started fresh, however the godawful shit that was on it even hosed the recovery partition. And since actual install media isn't included with a $MAJORMANUFACTURER machine, they would have had to shell out for a retail copy of their previous OS.

      Since these folks were obviously pretty cluless about computers, I fired them up a knoppix CD to see how they took to it. They honestly had zero problems navigating the KDE desktop and were able to do everything they wanted with the computer, except obviously to save stuff.
      They now have a shiny Debian Etch based KDE desktop that they're enjoying, virus, malware, and calls from the ISP free.

      That was one of the worst I've ever seen.

      • I would sign up with that ISP in a heartbeat. Most ISPs are total worm farms.

        I'm getting DNS poisoning attacks about 300 times a day from a RR.COM cable modem address and RR says they can't do anything about it.

        The attacks aren't actually working, but it still peeves me mightily.
      • I got a call the other week from my ISP saying they'd seen half a million spams from my machine in half a day :-( I went over and checked the desktop machine, which hadn't gotten its Microsoft-update-of-the-month installed on it yet, but it was quiet, and closed my laptop so it went to sleep, but the spam persisted. Went over and looked at the wireless router, and sure enough it was blinking away - I keep it open for guests, and had never had a problem, even though I'm in a building with half a dozen neig
  • Running an Ewido scan on a computer I had to clean up at work resulted in nearly 20,000 malicious items being found. Many of them were just tracking cookies, but even so, I took a screenshot; I might still have it somewhere....It was damned impressive.
    • On a co-worker's machine I ran Ewido as well, aside from the normal spyware etc, I found that the machine was infested with a worm.
      Ewido came up with a final score of 16553.

      Took quite a long time to clean up.

      • Re: (Score:2, Funny)

        by codered82 ( 892990 ) *
        3dMark scores seem irrelevant when you throw out a number like that. Yikes.

        P.S.: Anyone else see the humor in that this "Ask Slashdot" was posted right after the "Vista doesn't need Anti-virus" story?

        ...I'm just sayin'

  • A Corrupted SQL Server System (Score:3, Interesting)

    by Salvance ( 1014001 ) * on Friday November 10, 2006 @12:33AM (#16791176) Homepage Journal
    Worst cleanup by far was on a corporate Windows server in 2000 or 2001. The system did not have any anti-virus, and doubled as a SQL Server and File server. A couple viruses got on the drive and started trashing files. Unfortunately, they had been on there for months before anyone noticed, so backups were basically useless. We had to go file by file to retrieve important data, and then have users manually validate exported/imported SQL Server data. Uggghhhh. It took us months before everything was sorted out, but it was an easy sell to get the client onto Oracle and a HP-UX system soon after.

  • A few gems. (Score:5, Interesting)

    by bluefoxlucid ( 723572 ) on Friday November 10, 2006 @12:35AM (#16791182) Homepage Journal

    Geek Squad. One customer had 35,000 pieces of spyware and over 3000 instances of some 30 or 40 viruses on her computer, some of which required some alternative methods to remove since they were locked when in safe mode and encrypted so you couldn't scan with a boot CD. After 4 scans taking about 6 hours I managed to get the spyware gone, and also inbetween had made note of viruses I needed to manually purge. Cleaned it up nice; meanwhile my supervisor was telling me to call the customer and tell them we needed to just reinstall Windows.

    My aunt got AOL with anti-spyware and firewall and security. Eventually she had 35 different viruses, managed to remove all but 28 unique signatures (this was before I developed my brute-force removal method). Chucked a ton of spyware too.

    While at WhiteWolf Security, we had a little game going; eventually our opponents got pissed at us for unrelated reasons and decided to physically break into WhiteWolf at 4am. They shorted CMOS pins and used boot CDs to evade password lock-outs, adding extra administrative accounts and rootkits that continuously gave them remote log-ins. We couldn't feasibly assess the damage and determine all the changes; I filed an incident report with cost of infinite and put the machine in the evidence locker for forensics to deal with. We got third place too.

    • When I worked for a small independent computer repair shop we did a lot of customer Windows reinstalls. Most of the time when it was that bad we would just encourage the customer to do a Windows reinstall and in the end it was usually cheaper and better for the customer. Plus, there is something very rewarding about getting back the computer after the reinstall - it really is like getting a new computer back.

      Of course, eventually spyware will take its toll again, and the vicious cycle repeats.

      • With Geek Squad you don't pay hourly. They do the service. For a Spyware removal it's $30, virus removal is ANOTHER $30 (...), then once you've removed all that if there's a problem you can just use the Windows install CD to REPAIR the system for another $20 (this includes Windows update). If they don't remove anything, they don't refund your money; but they will charge you $70 to back up any files and $60 to reinstall Windows, plus $30 per application to install any software you need back (Office, anti

  • I hate thinking about this one... (Score:5, Interesting)

    by Alkivar ( 25833 ) * on Friday November 10, 2006 @12:40AM (#16791194) Homepage
    Had a 65yr old woman who's grandkids used the computer... I doubt she ever did. Windows 98 SE, ran Spybot on it and I just about died, over 34,000 items marked as spyware. So I closed the app and ran a virus sweep with AVG and found over 2000 trojans (only like 11 different viruses with variants but multiple installations).

    I realized at that point that it wasnt worth cleaning it up, so I reinstalled with her manufacturers restore disk and rescanned it ... 300 items marked as spyware from the restore disk, and 3 viruses on the restore disk.

    I did the old woman a favor and installed my old unused retail copy of Win98 on the box.

    Thats why you should never buy a computer from Rent-A-Center... *shudder*

  • Vomit (Score:5, Funny)

    by Anonymous Coward on Friday November 10, 2006 @12:45AM (#16791206)
    I used to keep the case off of my computer, to help keep it cool. That is, until a friend crashed in my study after a big night out and somehow managed to throw up inside it. Needless to say I have a whole new setup now.

  • The worst? (Score:5, Funny)

    by TheSHAD0W ( 258774 ) on Friday November 10, 2006 @12:45AM (#16791210) Homepage
    Buh! [homestarrunner.com]
  • almost 30,000 files that had to be examined either by script or by hand/eye (give you two guesses which instance was more frequent) for relevance because of an outdated and essentially useless form of content management, then organized and documented according to sensitivity level, freshness, potential legal/compliance relevance, and any noted security concerns. anything that couldn't be archived off the live site had to go through secondary examination for exploits, holes, and the like before being blessed

  • XP, 128 megs... (Score:5, Insightful)

    by cpct0 ( 558171 ) <slashdot.micheldonais@com> on Friday November 10, 2006 @12:48AM (#16791226) Homepage Journal
    My uncle's computer had a meager 128 megabytes of RAM, running XP, with two teenagers using it.

    It was a mess a real mess.

    5 minutes starting XP, 2 minutes seeing the window of Internet Explorer appear. 10-15 minutes to be able to download Spybot and AVG. 3 hours running spybot (you read me right).

    The hard drive stayed constantly ON during all that time. Then I said Screw That, and I reinstalled.

    My conclusions after 3 hours:

    - The first and biggest threat all the newbie users have on their computer are OUTDATED norton utilities giveaways they got with their machine. They THINK they are protected, but they closed the "renew" window so often they forgot it's there. Either the software is FREE AND CONTINUOUS, or it's not there, capiche? Avg is excellent, there are many other free ones too... just find one and be happy. Not something that's NOT free.
    - The second biggest threat are Norton Security centers, again outdated, again with useless popups. Again with people finding it nagging and deactivating it, making certain not only the Windows Firewall is properly deactivated by Norton's presence, but that their system is totally uselessly unprotected. Very great, coming from a security company. Again, there are many FREE (beer) softwares that do spyware detection and stuff, and Windows Firewall, in all its eloquence, is still better than a kick in the butt, at least compared to the useless deactivated softwares I found.

    Not that I hate norton, that is ... just that they are the culprits for at least 2 computers I cleaned so far.

    Then, even if you got years of pro experience in computers, people trust only one person, and if it's not you, you're d00med. I have been explaining to them their meager 128 megs of memory was not enough.... to no avail, they wanted to change computers, almost bought a new one, then another member of my family told them the exact same thing I did, now they have 512 megs and it's screaming. "told you so" was the only answer I could say. Oh well.

    • Re: (Score:2)

      by Sloppy ( 14984 )

      The first and biggest threat all the newbie users have on their computer are OUTDATED norton utilities giveaways they got with their machine.

      Uh.. no. The first and biggest threat all the newbie users have on their computer, is whatever appplication they're using, which is downloading and executing viruses! Viruses don't "just happen", even with a very naive user; viruses only happen if some application designer goes to the extra trouble to support them by giving them a "click here to run virus" GUI.

      An

      • Re: (Score:2)

        by hawkbug ( 94280 )
        Unless you have an unpatched windows system with automatic updates turned off. Then you can easily get infected with worms, such as the old Code Red worm from about 5 years ago - that's just one example of a windows worm that can get your machine if it's simply on without a firewall in front of it.

      • Re: (Score:2)

        by hughk ( 248126 )
        Your computer appears to be running slow click [here] for a free scan....

        This kind of thing really upsets me, because no matter how much you try to educate people, someone is going to click it and then bang, another exploit is launched. It shouldn't have been so easy for a system to be compromised, but it is. Maybe Vista will solve this, but wasn't the same said of XP?

  • Too many systems beyond the point of no repair, far too many to list. Most of them required a reformat/reinstall before I was confident of no hiding keyloggers and still having decent system performance.

    Having said that, a large proportion of these systems had some form of Norton AV installed, and EVERY SINGLE ONE had a virus subscription which had lapsed. Entirely useless in protecting those computers.

  • HOW did you clean it up? (Score:4, Interesting)

    by paulius_g ( 808556 ) on Friday November 10, 2006 @12:56AM (#16791262) Homepage
    I consider myself a computer-saavy Linux and Windows systems administrator.

    But, I must ask, how on earth do you guys perform these kinds of clean-ups?
    Most spyware that I have seen in the last months are rootkits. They hide underneath the kernel, are impossible to delete and "reinject" themselves upon reboot. I've even seen spyware which injects malicious code and/or replaces the main Windows binaries (explorer.exe, taskmgr.exe, cmd.exe, notepad.exe, etc.) How would you deal with these buggers?

    When I come to a spywared computer, I start by running Spybot, AdAware and then AVG AntiVirus (to check for viruses/trojans). I would say that this technique is successful about 50% of the time. If it's not, I consider the situation disastrous and ask the person to do backups and go for a reformat.

    I've even touched computer which froze upon startup (Windows boots up and everything freezes up). What would you do in these cases? I boot a livecd to do backups of a drive before the reformat.

    So once again, Slashdotters, how do you guys get rid of these nasty rootkit and evolved spywares which can hide very well without reformatting?

    • Re: (Score:3, Insightful)

      by Woy ( 606550 )
      But, I must ask, how on earth do you guys perform these kinds of clean-ups?

      Nobody can completelly clean a virus infected system. The ones that claim they did, didn't, but don't know enough about the subject to know they didn't.

      To put it bluntly, computer security is like virginity. You either are or you aren't. If somehow, at any time, an "evil" binary run on your system, then the system may be in control of whoever wrote that binary in any number of ways.

    • Re:HOW did you clean it up? (Score:4, Informative)

      by walt-sjc ( 145127 ) on Friday November 10, 2006 @09:44AM (#16792852)
      how do you guys get rid of these nasty rootkit and evolved spywares which can hide very well without reformatting

      You don't. It is not worth the time and effort unless your personal / professional time has zero value. Get your data off and reinstall / restore from image.

      Otherwise (if you are getting paid well for it) you can boot off a live CD or install the drive as a second in another system (one that has all the autorun crap disabled), Run AV/AS(pyware) on the drive, edit the registry removing all the startup items that you know isn't needed, run md5 comparisons on all the system files, and go from there. Dumping the registry and comparing with a known good registry is helpful at spotting crap.
    • Although I typically admin Linux systems, I'm occasionally called on to clean up Windows systems where it's not possible to reformat for whatever reason. Here's the basic strategy I follow, which while not complete is a good start if at some point you really need to clean one out.

      1) Like most people, I typically run an Antivirus application, Ad-Aware and Spybot SD to see what sort of spyware I can remove. I disable network access as well, so the software cannot re-download itself or other malware. Most of w
  • Reinstalling is a drastic workaround to a problem where a solution exists. The time it takes to clean a single bad infection is minimal compared to reinstalling Windows, installing the software and tweaking your settings to make sure that everything is how you like it. It takes a good 2 or 3 hours to just install XP and associated programmes. Then tweaking over a few weeks.

    Next time I reinstall Windows I'm going to Ghost the drive once I've got set up how I like it.

  • Good Ol' SunOS (Score:5, Interesting)

    by Jethro ( 14165 ) on Friday November 10, 2006 @01:05AM (#16791304) Homepage
    I 'inherited' a SPARCserver running SunOS 4.1. Yeah, you can secure SunOS 4.1 (kinda). But the guy who was in charge of the UNIX machines for the past few years, hadn't. This was in 1996 or so and commercial ISPs were relatively new and nobody had really ever considered security.

    When I took over the machine I started lobbying the boss to let me do some security work on it and he'd never let me do it. We gave used FULL SHELL ACCESS. Compilers included. Oh and SunOS didn't even have shadow passwords by default!

    Anyway, a few months into that someone changed the MOTD to some racist statement. That's when the boss finally let me do stuff.

    But he wouldn't let me reinstall the thing. OR take shell-access away.

    It was a constant battle. Every day I'd show up and look for what they did TODAY, and fix it. just try to stay ahead of them, and they tried to stay ahead of me...

    Sometimes I'd stay up at night and ttysnoop on them talking to their other friends on IRC. Then I'd sigsev their IRC client, and watch them log back on and complain about how the sysadmin can't even keep IRC from segfaulting randomly. Then I'd take over their terminal and start saying crap about the other people he was talking to, until his friends kickbanned the hell out of him. Haha.

    I eventually managed to let the boss allow me to replace the shell with a restricted shell (ok, a shell replacement I wrote in perl - it was easier than reading the manpage for rksh).

    So basically the point was to make it not worth their while to break into my server.

    Eventually this kid started DOSing us. We had a small 64K line to the 'real' internet, and he was on a DS3 in some university in Sweden. Our uplink (UUnet) said they couldn't do anything. Yay. So one day my boss (not the big boss) goes "hey, didn't you say they brag about this stuff on IRC?" I said "Yeah" and he goes "Teach me how to use IRC!!!"

    The guy figured out IRC, found some 'hacker' channels, and FOUND THE GUY who was bragging about DOSing us. Started talking to him, getting kinda friendly. Guy starts blackmailing us - said that unless we give him a machine with his own harddrive (he demanded at least 4 gigs) or he'd DOS us again. So we gave it to him to see what he'd do. he filled it up with warez (gah) fairly fast, and then had to download it all with a 28.8K modem...

    so my boss goes "Hey...why don't you come in and bring a harddrive and we'll copy it for you?"

    And the guy did it. He came into our office. Where I had an IndyCam setup for him. And where we had a PI waiting outside to follow him home. And of course he brought his harddrive which we copied everything off, including his master host/password list.

    The kid was 15, so we couldn't sue him or anything. But we did get a LOT of info about him. My boss basically went through all the guy's hosts and nuked them or, if they seemed legit, changed his passwords and Emailed the admins. And some of these were machines belonging to some pretty big cracker/hacker/whatever rings. We nuked those, too.

    I like to think that was a pretty good security clean-up. We got rid of a LOT of bad-guy hangouts at that point.

    Oh, and I was no longer with that company, but when that kid turned 18, they got him thrown in jail. That was fun, too.

  • Real Player (Score:5, Funny)

    by Barkmullz ( 594479 ) on Friday November 10, 2006 @01:09AM (#16791324)

    I once tried to uninstall Real Player, but I was not successful so I guess it does not count.

  • You're probably not looking for this one (Score:3, Interesting)

    by dch24 ( 904899 ) on Friday November 10, 2006 @01:10AM (#16791326) Journal
    This is on-topic, but not the answer everyone else is giving...

    My last encounter with a virus was when my brother (who had been abroad) came home, and a few days later I got an email from him with an executable in it. I downloaded the executable and found ... surprise, he got a virus using IM, which spammed everyone in his address book. I notified everyone in his address book, cleaned up a few infections, and have never had a problem since.

    Seriously. I didn't even have the free version of Ad-Aware installed until late 2004, and when I ran it I had lots of tracking cookies... that was all.

    I do heavy development in Visual Studio, but only for consulting work. The rest I do in linux. I've never had a problem. I admin lots of systems, and I've seen rootkits on Solaris, but I've been lucky so far with all the linux servers I've looked at.

    It's possible some of my mistakes weren't discovered until much later and no one bothered to tell me. But my own workstation has never been exploited. Sorry, hate to disappoint everyone, but I have nothing to tell.
  • About 5-6 years ago. Oh, yeah, in 1995 I think I got a macro virus on a Mac using Excel.
  • Was it running Vista?
  • I had to clean up a computer infected with the www.yzzerdd [www.yzzerdd]. That wasn't even the weirdest part, cuz the guy who owned the computer was a friggin sack of french fries. Crazy shit man.
  • 1600 traces of W32.CIH from a Win98SE PC, god the amount of time I spent bringing that piece of crap back up again.

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Friday November 10, 2006 @01:47AM (#16791430)
    Comment removed based on user account deletion

  • The woman who wanted in-house service. (Score:5, Funny)

    by shoolz ( 752000 ) on Friday November 10, 2006 @02:07AM (#16791476) Homepage
    This is from 2005! Her computer was a PII 75 running Windows 95. The basic problem is that it had been overrun by viruses. A one hour fix if I had taken out her hard drive, plunked it into my repair PC and done a virus scan... but she refused to allow her machine out of her house for fear that I would steal it. Rather than entrust her $50 PC to me, she instead payed me $280 in house-call fees while I sat there for 8 hours with my arms crossed, watching AVG [grisoft.com] do it's stuff.
  • I do like you do.

    I try all the good softwares... multiple times ... until they either find nothing, or enter in a totally endless loop ... or (like I wrote a few replys before) I abandon after a few hours.

    Mostly, it depends on the usage.

    In a company, with properly cared computers and correctly controlled environment... not a horrible control, only a minimal one, like telling people illegal things means losing their jobs, and non-job-related stuff are to be kept to a relative minimum (and no real enforcing o

  • Here's my toolkit... (Score:2, Informative)

    by Anonymous Coward
    NB: posting as AC to prevent whoring

    I've been working in the small shop/repair business for over 5 years, and its a weekly experience to get a machine in with thousands of trojans, viruses and spy apps. In cases where a re-install may not be desirable or feasable, here's a list of the tools we use to find, isolate and eradicate hostile software.

    Disclaimer: I do not work for any of these companies, nor am I been paid anything by them. I just find that these tools work. Your mileage may vary.

    1: Antivirus

    A

  • Chernobyl (Score:3, Interesting)

    by Guido del Confuso ( 80037 ) on Friday November 10, 2006 @02:10AM (#16791492)
    A bunch of my computers once got infected with Chernobyl, and it proceeded to trash the BIOS on two or three machines. I was pretty pissed about potentially having to replace these motherboards, so I said screw that and got an EPROM writer. With the latest version of the BIOS from the manufacturer, I flashed me up a few EPROMS and plugged 'em in. Suckers booted right up, and since the only way to erase them was with UV light, they were completely immune to BIOS attacking viruses thereafter.
    • Chernobyl rocks. My favorite virus by far.
      • One of the all time classics.

        On April 26th a few years ago, a dental office I did work for called up saying they were having trouble booting their server. While trying to figure this out over the phone, the manager said, "Oh, by the way, we're having some problems with the 5 client machines."

        Bing! Red flag. I googled on "virus April 26" and found Chernobyl. I told her there was a good chance the machines were toast.

        Good outcome, though. The manager was anal about backing up their patient database (quite a l
      • You've obviously never heard of - ack, I can't remember the name but an Amiga virus:

        remember viruses during the old Amiga days. One of them was a little animation that would play on your screen while it would vibrate the stepper motor on your floppy drive to play a tune (El Condor Passa). Plus the damned thing would reside in static ram and if you turned it off the little animation would flip you off. You basically had to unplug the computer and leave it off for a few hours.

        I think, too, that too many inst

  • Sendmail, spam relay, posted AC for obvious reason (Score:2, Interesting)

    by Anonymous Coward
    So a few months after warning our (ignorant) IT staff that the version of Sendmail distributed with our version of Solaris was about a year and a half behind the time, I wonder why our main box is so slow, and I see 500 processes dutifully spamming the rest of teh Intarweb.

    I get on the horn the folks in the IT department. "Yo, d00dz, we finally got pwn3d."

    "Not our problem."

    "No, really. The reason the box is so slow is because we've run an open relay for (censored) months, and this dude from a (censo


  • I used to run a server on the campus of a university.

    Winter rolls around, and I left the university for winter break.

    While travelling around, I got a call that indicated the server was sending a lot of mysterious traffic across the internet and "they" had unplugged it.

    Well, that's not good...

    Apparently I was the victim of a sendmail exploit. Alas. What can be done?

    I had to call and direct the reinstallation of Redhat 4.2 remotely through the hands of a geology grad student until it was on the internet, then
  • A windows box - no firewall - no antivirus - no updates - 3500ish unique virii, spyware, etc... Brother in laws. There was some nasty shit on that thing.
  • I think 70% of my Amiga disks had that damn virus. I took to installing Nuke Saddam in teh bootblock of every new disk I got.
    • I had -- I forget what it was called actually, but right when the bootblock viruses started coming out (late 80s maybe?) I remember coming across a nice bootblock program that filled up all available space with a stupid little light/sound show. The idea was that if it ever looked or sounded different starting up, you had a virus on the disk. I never did, of course, but I got very used to the startup show anyway.
  • 8 million unique items, I hadn't even made it out of the master boot record.
    *adds a couple more pens to his pocket protector*

    I cleaned it with dental floss and belly button lint.

    • Re: (Score:2)

      by crossmr ( 957846 )
      oh and btw if slashdot is going to keep approving questions like this, I nominate a new tag "geekpissingcontest"
      • Now now, don't be pissy.
        Articles like this are great resources for information and in this case cleaning methods.

        We are here to learn from eachother and share "war"stories.

        • Re: (Score:2)

          by crossmr ( 957846 )
          I'm not being pissy, I just constantly see questions like this and the inevitable answers. Considering some of the tags already in use, that certainly wouldn't be out of place.

  • some war stories (Score:5, Interesting)

    by Anonymous Coward on Friday November 10, 2006 @03:38AM (#16791652)
    I don't clean up virused windows machines. I consider them to be pre-virused from the start. Anyway, they can only infect other windows machines, so what's the harm ? I use them until they get too slow to use and then re-install, when I use them.

    I've delt with some nasty cases on linux though. Be forewarned, a lot of the twitchy sys admin types who believe in the "proper" way of doing things are going to be driven crazy by what follows.

    Story 1: A visitor to my house needed to use ftp (ftp something TO me, for obscure reasons I have forgotten), and I temporarily turned on the ftp server on my Redhat 6.1 box on my cable modem. Later I noticed the machine running slow and a stuck process with a disguised name; grepping strings on the executable showed it to be an IRC server with built in commands that would DDOS people. Examination of logs showed I was cracked within three hours of turning that ftp server on. I was running tripwire, so I had a daily email showing what files had changed, but I had not been updating tripwire much, so I had to dig through lengthly lists to find out what new files had arrived and remove them. The computer that hacked mine was another RH 6.1 on a DSL in California, that was serving up web pages of pictures of salvage autos from a junkyard, all in spanish. I did not bother to contact them.

    Story 2: About three years later, when RH 6.1 was pretty old, I was working for a guy who had a few remote RH 6.1 servers at his customer's sites around the country. They never connected to the internet, we dialed into them on the modem, thus no security worries, right ? Well, we had to make them dial out to an ISP and email us the IP address, because they changed their phone system and we temporarily couldn't dial into the remote machine, and that got cracked within a few hours. Examination of a few clues, which I have forgotten, lead me to conclude it had an Aurora root kit on it, which is a kernel module that the kernel reads in on bootup, that then filters all your ls and lsof and other commands to stop you from finding it or removing it. The solution I came up with was to go to an identical machine and compile an identical kernel, except with all modules built in and the ability to load modules turned off. The decision was made to make them mail us the harddrive back and we mailed them a replacement before I got to try it.

    Story 3: a Debian server a different, later employer used was the NATing gateway, mail server, file server, essentially everything for a very small office. The boss-man either connected to it from an invested public terminal at a university, or it was brute-force ssh'd, not sure. It was compromised, and not noticed for months because the guy never did anything (this was confirmed by going back through backups and checking for when the key files appeared). I noticed it when I discovered I couldn't update something because someone had used chattr to make the file immutable, and of course that file was a trojan (it took me a while to figure that out). I booted up with a live CD to make sure no aurora type root kit was intefering with my access, and searched the entire disk for every immutable file (using lsattr and grep), and then hand-replaced the binaries used by apt-get and dpkg and friends, and then chrooted to the disk and did "apt-get --reinstall install packagename" for every compromised binary. I got the package name from "dpkg -S /whatever/file" on each bad file. It took hours in spite of perl scripting a lot of it.

    I discovered a "hidden" directory (named with a single space character) that had tools to make random searches on yahoo and scrape the resulting pages for email addresses, and the spam had links to a fake bank login page, and the stuff to host that page was also there. As far as I could tell it was never unpacked and run. It was in a tar.gz with a script to unpack it and set it all up automatically.

    He was running a package of two or three cobbled together sniffers and a compromised ssh

  • just finished recently (Score:5, Funny)

    by Tumbleweed ( 3706 ) * on Friday November 10, 2006 @03:54AM (#16791692)
    Congress. Got that bitch all cleaned up. Sure took a while, though. You wouldn't _believe_ the shit that was going on in there!
    • Yeah, but you didn't patch the damn thing and now it's infected with different crap that is just as bad as the old crap.
  • The headmasters wife of the school where my wife works gave me her laptop to look at whilst we were at a party at their place once. The schools IT guy wouldnt touch it. It was windows XP but it took something like 10 minutes to boot and she said it was "reeeally reeeally slew" (she is French).

    Found out the disk had 5k of space left on it. Checked and there was no antivirus, firewall or antimalware installed and it had been directly connected to a broadband line with a adsl modem for the last 3 months. And t

  • My worst... (Score:5, Interesting)

    by Seetee ( 144588 ) on Friday November 10, 2006 @05:10AM (#16791836) Homepage Journal
    Well, once, a little more than a year ago, I paid a visit to some friends and the afternoon progressed as usual, I eventually found myself in front of their computer. Because they had some trouble with their broadband access, it seemed.

    As I soon found out the broadband company had cut them off, since the computer was a breeding ground for virus and spam of all sorts. Why did they have so much problem, you ask? This is what I found.

    No hardware firewall, one computer directly accessing the internet on a (albeit slow) broadband connection, no software firewall, no anti-virus program, no ad ware-removal program, outlook express and (actually!) a really old version of Firefox (0.3 I believe), all of it running on an unpatched version of Windows 98A.

    It took me some time to clean that one out.

    But it did impress me somewhat that the broadband company (Telia, Sweden) actually demanded proof that they had installed both anti virus and a firewall before they reactivated the connection. That is surprisingly good ethics for such a company, although it might be considered pure survival tactics, as the internet climate are today.
    • As I soon found out the broadband company had cut them off, since the computer was a breeding ground for virus and spam of all sorts.
      Coo, there are a few people who wish that more ISPs would do this! It might scale down the number of these infections being discussed right now.

  • Re: HOW did you clean it up? (Score:3, Informative)

    by hcdejong ( 561314 ) <hobbes@nOspam.xmsnet.nl> on Friday November 10, 2006 @05:40AM (#16791902)
    My parents recently had a virus on their computer. No big deal (just one virus), but Norton AV couldn't remove it and the manual removal instructions Symantec gave were rather convoluted (Recovery console, blah blah blah). Solution: pull the disk, stick it in a USB box and hook it up to my laptop. Eureka! The disk is inert (it's no longer the startup disk), so you can repair at your leisure rather than trying to beat whatever got started up during boot. You have a functional system during the procedure (if for no other reason than to keep the removal instructions handy) and no arcana like the Recovery console. Also, you've got a virus scanner you know isn't compromised.

    I know what I'll do next time.

  • Photocopy sorting nightmare (Score:3, Funny)

    by Dr. Hok ( 702268 ) on Friday November 10, 2006 @05:51AM (#16791916)
    This is not really security, but:

    At the university I once had the job to produce 100 copies of a circa 100 page application document for a very important government funded research project.

    I had a high-performance copier, to which I fed the original pages, cranked the lever to 100 copies and kept shoveling paper into it until it finished.

    Only then I realized that I misunderstood the sort/collate switch and ended up with 10,000 sorted pages, meaning that 100 pages #1 were followed by 100 pages #2 etc.

    I was out of fresh paper for a retry, too.

    After some decent swearing and a couple of cigarettes, I arranged the tables of a seminar room around myself, then spent the whole night making 100 stacks of paper one by one.

    When it was over, the skin on my fingers was so dry that it cracked and started bleeding. Not to speak of the over-exercised muscles in my hands...

    • Hrm... you could have re-stocked the copier with your output (100 page 1's, 100 page 2's, etc.) then had it copy *with collation* 100 blank pages.

      Maybe anyway...

  • Bug Spray (Score:4, Funny)

    by slarrg ( 931336 ) on Friday November 10, 2006 @05:57AM (#16791930)
    About twenty years ago an exterminator was spraying my apartment complex and asked if I had seen any bugs. I replied, "Only in the computer." Sadly, he actually sprayed inside the computer and killed it. I've since learned to curb the computer humor with non-technical people.

  • Back in about 1993 (Score:3, Funny)

    by Andy_R ( 114137 ) on Friday November 10, 2006 @07:03AM (#16792064) Homepage Journal
    Someone sent me a floppy with the WDEF B virus on it, but my Mac IIci's antivirus software caught it. Of course, since those days Apple have really got their act together and I don't get viruses nearly as often.

    My PC is virus-free too, probably because it doesn't have a network card or modem, a surprisingly difficult combination to achieve when buying it. I gave up trying to spec a machine without ethernet and settled for opening up a brand new computer, pulling the unwanted card and binning it.
  • He would install the entire Microsoft Office Suite on the Exchange server, and after creating a new user account, he would log onto the Exchange server as his domain admin account, and set up the account in Outlook to "test it".

    IIRC that was SOP because there were some settings in Exchange that only a locally installed Outlook client could access. Now, I don't know if your admin actually needed to access any of those settings...

  • Sligtly on-topic (Score:3, Interesting)

    by Centurix ( 249778 ) <centurixNO@SPAMgmail.com> on Friday November 10, 2006 @08:14AM (#16792232) Homepage
    I actually had a favorite mail trojan at one point. I can't remember what it was called, and it expired itself a couple of years ago. It was distributed via mail, picking out everone in their address book. The fun thing about it was that it would pick out a random file from the victims computer, preferrably some sort of document, but it didn't seem to fussy, attach a copy of itself to the beginning of the file and send it on. Made a quick script which chopped off the virus whenever I received a mail, and then saved the actual file somewhere so I could take a look. It was like a little surprise in the mailbox every day. Some of my favorite ones were:

    * An excel spreadsheet showing the expenses for a french shoe manufacturer
    * Someone's thesis on the spawning habits of canadian salmon (quite well written too, best of luck with the masters)
    * A strange photograph of a person driving a car with a giant carrot for a passenger
    * Someones 10Mb .pst file from their MS outlook. Lots of mail, nothing interesting, but the program sent the file without the user noticing it.
    * No porn whatsover, dissapointing
    * An no password files, which I guess would have been a good primary target for the trojan.

    Quality trojan, they don't write them like that anymore.

  • Script Kiddie Hunt (Score:3, Informative)

    by rwa2 ( 4391 ) * on Friday November 10, 2006 @08:17AM (#16792236) Homepage Journal
    Back in college around 1998 my Redhat 5.x box got remote-rooted by some Samba exploit (the exploit was called ADMmountd). Most of the standard utilities like ls and top and ps were modified to not detect the rootkit, but du stopped working completely, and I managed to stumble upon the rootkit files in a hidden directory in /usr/lib/.lrk or something like that. Then I noticed IRC callback connections in tcpdump and followed the trail to some swedish IRC server. But didn't really get any leads there.

    It was pretty good about cleaning up after its last logs, but I finally managed to stumble into the kiddie's home dir on my box... the damned kiddie forgot to clean up his .bash_history ! Well, actually he did (as evidenced by some rm ~/.bash_history commands in his .bash_history), but of course his shell wrote it from memory again on logout. I found some entries there that led me back to another server he compromised.

    Looking at that (also Redhat 5.x) server's web site, I noticed that it had some evil users who exposed /etc/passwd in some cgi scripts. This was before Redhat started using /etc/shadow, so a few cycles of john-the-ripper later I had a list of remote login accounts and most of their fairly trivial passwords (including root). Probably the exact same way the script kiddie took over that box. So I sent an email to the admin of that server, and (as it was some other poor college bastard) surrendipitously logged in to /his/ rooted box, did some additional forensics. The home base apparently was at goethe.sbu.edu , which apparently hosted some bored-looking CS guy (there were only 7 enrolled in the program :P )at St. Bonaventure University, though he may as well have been rooted himself. and cleaned up the rootkit on the remote machine as well, shutting off the compromised services and accounts before leaving myself.

    So I cleaned up some other computer as well as mine. That was pretty much the time I migrated to Debian for good... haven't had nary a problem before or since. ;>

    Anyway, here are some annotated excerpts from the .bash_history I archived:
    blksheep/.bash_history

    cd /tmp
    cd .ADM
    ls
    ADMmountd liuxcentral.com -t 0 # plenty of typos while "scanning" for vulnerable hosts
    ADMmountd linuxcentral.com -t 0
    ADMmountd www.mondenet.com -t 0

    # retrieving the logfile cleaning utility, which didn't work on .bash_history, apparently
    ftp goethe.sbu.edu
    mv utclean.wri utclean.c
    gcc utclean.c -o utlcean
    mv utlcean
    mv utlcean utclean
    chmod +x utclean

    # Testing his rootkit
    who
    ls
    screen find / -name .wh00p -print >>blah
    ls
    cat blah
    rm blah
    cat /usr/bin/.wh00p .wh00p # I guess this was the real "who", he ran this often to watch his back, I suppose
    • But...but...

      Everyone knows Linux is invulnerable to attack!

      You must be some kind of weird antimatter slashdot troll from the negativerse where the sky is white and the stars burn with the blackness of a thousand really really black things.

  • Wow (Score:2)

    by dlc3007 ( 570880 )
    I have to stop dissing my sister now. I only found 2100 malicious objects on her machine.

  • Well... (Score:3, Funny)

    by argStyopa ( 232550 ) on Friday November 10, 2006 @10:39AM (#16793336) Journal
    This isn't precisely what you're talking about but...a son should never have to clean up his mom's computer. Or if you do, for the love of god, DON'T BROWSE THROUGH THE TEMPORARY INTERNET FILES.

    Just wipe it. Trust me (shudder), a boy should never see that side of his mom.

    That was no doubt the worst cleanup I ever had to do.
    • With popunders you can generate quite a lot of fun content in the cache. Well worth remembering..
    • I remember doing similar on a friends computer. This computer was used by their three sons, and his wife too. I remember going to Google, started typing "p", and what was the first entry in Autocomplete? "penis enlargement", and so many other similar things. Come on, dude. Not on the family PC, and not with Autocomplete on.
  • I remember one time I listened to an outgoing MS VP [slashdot.org], and refused to let my son install antivirus software on his new Vista machine...
  • I've cleaned out a few with over 1000 infections, but the worst was a system with 6500 infections. I never got it working properly (Explorer randomly generated windowing problems, etc), but it ran.

    But probably the scariest was one I cleaned with 350 infections of one virus. I believe it was Chernobyl, but I might be wrong. On a certain date of the month it detonated, wiping the drive. I used it on the day before until around 11:55pm unknowingly and went to bed around midnight. I found it the day after it

  • Calling Sweden... (Score:2, Interesting)

    by prescor ( 204357 )
    I once helped out a lady with Win98 who called me after she received an $800 long-distance phone bill. She wa a dial-up ISP user and caught SOMETHING that was dialing Sweden in the middle of the night to do God-only-knows what.

    Not the "worst" infection I've ever cleaned up, but certainly the weirdest!
  • About 4 years ago, I came across a friend's machine. She was complaining that it was running "a little slow". I brought in a copy of AVG with the latest definitions (downloaded that morning) on a CD, and did what I could for the box. The result? 483 unique viruses, 41,000 or so infected files.

    I thought it was some kind of record. But reading other posts, I guess it isn't. :p
  • About 90/92 (I don't recall exactly) in Poland there was no strict software piracy laws and enforcement. Polish software market was very new (comunism just ended in 89) so basically it was very hard to get anything legal. So you pirated and it was perfectly OK (there were no alternative distribution).

    I remember that few computer shops put out public computers to attract customers. These computers worked like this - you wen't to the shop with few floppies and copied games/software (mostly games) from and int
  • Witty Worm.

    Blew up the whole data center. Oh, and asshats let the support on Netbackup lapse, so the restores wouldn't run until they fixed whatever problem they had. But they couldn't get support to help them until they got the CIO out of bed to sign a $250k PO for licensing and support.

    All this happened because they didn't pay the invoice for ISS, and didn't get the Black Ice patch installed quickly enough.

    Funny... I have severe asthma, and this was just the day they decided to paint the inside
  • That is a LOT! And that doesn't even include the spyware? I find that very difficult to believe.

    The worst I've seen is approximately 3500 spyware on a 1Ghz Win2k machine with 512M ram. It was SLOW. Like 15+ minutes to boot, slow. It took a good 5 hours to "clean" with adaware, and even then I decided to reinstall anyway due to the system retaining a great deal of instability.

Slashdot Top Deals

"And remember: Evil will always prevail, because Good is dumb." -- Spaceballs

Close