We help IT Professionals succeed at work.

backdoor open somewhere and someone is getting into my machine

chipsterva69
chipsterva69 asked
on
723 Views
Last Modified: 2010-04-11
To make a long story short - somewhere on my laptop there has been a backdoor opened and whenever I am on my home network, someone can get in and mess around, while I am on the machine.

Details:  About a month ago, I started noticing weird behaviour while on my laptop on my home network.  My cursor would start to drift around, without the mouse itself moving.  Then, on-screen buttons would be clicked, windows would open and close.  So - figuring it was malware - started scrubbing down the machine.  Used websweeper, stinger, ewido, ad-aware, and spybot.  All found minor things and cleaned them out.  A few nights later, same thing started to happen.  Okay - now I am getting a little paranoid.  I have always used Zone Alarm firewall and I have a netgear wireless router - so I make sure I have the latest software updates and definitions.  Still having my little friend stop by...

So - I re-format the hard drive and spend a weekend rebuilding the machine.  I install all of the security programs prior to installing the rest of the stuff.  I even waited a couple of days before I started to restore my data and files from my backups.  I figure I licked the problem - but I figured wrong.  Sure enough, about a week ago, my friend stopped back by for a visit.  Now it is getting really annoying - I am trying to run programs and he/she keeps my cursor jumping around, making it darn difficult to do anyting.  Now comes the part I don't understand - figuring I would just cut the connection and work on the machine in a limited fashion - I disable the wireless connection.  Damned if he/she couldn't still work around in my system.  What the heck kind of connection is this?  

So, here I am - I am frustrated enough to start backing up all of my software in preparation of another complete system rebuild, but without knowing more about how the individual is gaining acces to my system, I don't really see the point of doing it.  I have tried blocking ports 135, 137, 139, and 445 on my Netgear firewall - no dice.  I figured they may be using my bluetooth card - no one is in 30 feet of me, and I pulled it out - no effect.  I have downloaded a couple of port logging programs (TCPview and ActivePorts) and tried to find an IP/port that stands out - nothing (the closest thing I have to a mystery is the following log entry - System      4      0.0.0.0      445  UDP and TCP - what is System 4?).  I thought I would lock down all of the ports on my router and open things up one port at at time, but I don't see any way of doing that on my netgear - I essentially have to setup a custom service that names a port then specify that service never be allowed to run.  

And - last piece of the puzzle - I switched jobs a couple of weeks ago and am now working in a much more paranoid office - with a lot more network security, and it dawns on me that I don't have these problems while on the work network - just the home network.  So either the work network has the right port locked up and no access is available, or my friend prefers to hoot with owls than to scream with the eagles.

How can I track down what is being opened to allow access?  How can the connection be maintained if the wireless service has been disabled?  What can I use to prevent a reoccurance?  What did I do to cause the compromise in the first place?  I am out of ideas - any help would be greatly appreciated...
Comment
Watch Question

Erik BjersPrincipal Systems Administrator

Commented:
This is strange indead.

How can I track down what is being opened to allow access?  This may not be easy you can run a packet sniffer like ethereal (google it) but unless you know whay you are doing it can be hard to understand.

How can the connection be maintained if the wireless service has been disabled?  IT CAN'T if the wireless, bluetooth have both been disabled (I'm assuming also no wired connection) there is no way into the system unless someone has placed a hardware device inside your system (EXTREEMLEY UNLIKLEY SO WE WILL IGNORE THIS IDEA)

What can I use to prevent a reoccurance?  You've done all you can do.

What did I do to cause the compromise in the first place?  Could be almost anything.

NOW THE GOOD NEWS

I don't think your system has been comprimised.  

Many laptops have 2 mouse type devices built in
     A little butten you move with your finger in the middle of the key board
     And a tuch pad below the keyboard

Many people have used the button in the middle of the keybaoard to move there pointer, but at the same time there palm brushes the tuch pad (basicly giving the mouse 2 sets of directions), this can cause the symptom your system is exibiting.

How do you use your computer at work?
     Use the built in mouse/tuchpad or a USB mouse attached to the back or side of the laptop?

How do you use your computer at home?
     Same options.

What make and modle is your laptop?

Good luck,

eb
CERTIFIED EXPERT
Top Expert 2014

Commented:
Port 445 TCP and UDP are the ports that are now used by MS for AD file sharing and other communcaitons.   However it can also be used by various virus to attack your PC.
Erik BjersPrincipal Systems Administrator

Commented:
I still don't think this is a trojen or outside hack as he states that the problem presists when the system is not connected to any network (I have yet to see a hack that can operate over an air gap, unless there is something on the system that moves the mouse.
a key logger could store a sequence and instead of send a file, replay the sequence at a given time of day, which could account for the time of day and the connectionless movement of the cursor.  In such a case it is innocuous, just annoying -- yet a challenge to find.  I have little success in finding key loggers and my understanding is that they are very good at not being found.  

Shutting down ports is a senseless exercise given that pulling the network connection shuts them down very completely.  

Try change your clock to see if your visitor gets jet lag, and mistakenly pops its head where the eagles soar.  Then we'll nab the little snake in the grass.
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
I like that mouse problem ebjers{http:#15986879}  has mentioned.

@home: Just unplug all network cables and check if the problem still persists after it occured, just work in a normal way, as if a network connection would be active, "webbrowsering" might be a bit boring, but is importent to simulate normal behaviour..

Maybe you use a special profile / hardware at home with your laptop?

Tolomir
Erik BjersPrincipal Systems Administrator

Commented:
You can do an online AV scan from symantec found:
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

This will scan your computer for any malitious code and is very good, plus it bypasses any localy running processes that can interfear with a local scan.  I use this about once a month just to be safe.

Author

Commented:
Thanks for all of the great input -

Before I start trying things out, let me respond to the various pointers -

to ebjers - i use a usb mouse at work and a wireless microsoft keyboard/mouse set at home that plugs into the usb port.  i don't have a cat 5 wire plugged in normally, and have not when i have experienced issues.  the laptop is a dell inspiron 1150.  it does have the touchpad mouse, but in home use, i am using my wireless keyboard and mouse and am usually keeping my hands a good ways seperate from the laptop.  good thought though - i am sure i have done that a couple of times and just not realized it.  i will try the symantec scan as soon as i reply here.

to giltjr - i am not on an active directory environment in either location, so i am comfortable leaving 445 closed for the moment

to lunarbeach - i had not thought of a stored script duplicating the behavior when the connection is cut - yeesh, this king of inventiveness can serve a person well in the business world (of course, it probably is serving this individual well in another way...).  i'll try changing the system clock.  i understand that key loggers are hard to find, but at some point they have to call the mothership again and dump the log, right?  why can't i capture that activity?

to tolomir - i have tried the disconnecting everything to see what occurs - and i still get activity, though it seems to be a bit slower, come to think of it.  i will try again for a longer period and see if i can duplicate the issue

my thanks to everyone - i will check back in a bit and update.
Erik BjersPrincipal Systems Administrator
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
some of these mice and keyboards can have a good range. would there be any chance that someone relatively close to you has a wireless mouse as well and interferes with yours?

I'm with all the others that when you unplug all the wires and wireless there is no way things can happen with  malicious intentions as stated unless of course pre-recorded, which I find highly unlikely.

This might call for the ghost busters... :)

--dutch
Hi chipsterva69,

It is most certainly the wireless mouse/keyboard. I had that same problem with a user in the office, was weird, I was racking my brain to figure it out, then I just opened notepad and waited.. something started typing then I realised that it was the person sitting in front of the user having trouble who also had a wireless mouse/keyboard.

All you have to do is change the frequency of your wireless devices and you should be fine.

Good Luck

Luke
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
i am still waiting on another re-occurance of my visitor, so have nothing more to add a the moment.  

dcreature, you give a lot of good material to proceed on - will work on that in the next day or so.  thanks a million!

as for the wireless setup - i have tried to duplicate the issue using both boards, but can't duplicate the issue, so i am not sure that is the solution.  wired mouse and usb mouse work fine with the laptop.

thanks everyone!
Erik BjersPrincipal Systems Administrator

Commented:
wired mouse and usb mouse work fine with the laptop.

If this is the case I would seriusly look at your wireless mouse as the suspect.
Can you please obtain the HijackThis and do the Scan, and save the log.
Then upload that log at the www.hijackthis.de by pasting your log and
clicking on the 'Analyze' button.

After you do that, you'll see the link to your log at that site, so, please
paste the link here so we can help you further.
Wouldn't some disabled services also cause a similar problem? Especially some Share_Process services?

 

Erik BjersPrincipal Systems Administrator

Commented:
I don't think so, what service could you disable to cause mouse movement?

I still vote for hardware problems... bad mouse or interference

Author

Commented:
for nepostojeci_email and those interested - here is the log analysis for hijack this -

http://www.hijackthis.de/logfiles/3a4c8284f70c86d9f0888da2286d54c9.html

looks pretty clean to my amateur eyes....  still no re-occurance after changing the lan ip settings.  i am not sure if i have been able to successfully rule out interference from another wireless keyboard/mouse combo a couple floors above me - still looking at that.

thanks again!
Looks like it's clean, but you can also be a victim of a renamed viruse executable
to one of the well known executables, like winlogon.exe or so.

Anyway, there is so much software used, I'm affraid to suggest anything..
However, have you tried switchin the channel on which your mouse is working?
there should always be a swithc to change channel from 1 to 2 and vice versa.
If you use wi-fi keyboard, you should also check the bottom of your keyboard
for the same thing.
Erik BjersPrincipal Systems Administrator

Commented:
rule out interference from another wireless keyboard/mouse combo a couple floors above me

You can rule out interference from a couble floors above as this is out of range... other electronics (TV, Microwave, Radio, ...) can cause interference, though unlikley.

Have you tried a wired mouse at home?  If so were the results any different?
Just throwing a question out there to the many that are already up here...

 When your cursor does start floating around, is it just "floating around", or is it moving around with a sense of purpose? It seems very odd to me that even with interference between hardware devices, the cursor clicks on icons, and closes them.

 And also, are you using a infrared/laser mouse? I've had some times where my infrared mouse just randomly starts floating toward the top right hand corner of the screen and clicking the Close button on applications. So if you could clearly define what exactly your mouse is doing, it might help resolve this issue.

 And if all of this doesnt work (eg. mouse, port blocking, sweeping, unplugging), then I would come to the worst-case conclusion that your actual laptop is the problem. Somehow or someway, a circuit may be malfunctioning within the laptop that is related to your mouse (either the built-in or the mouse port). If this is the case, it is probably due to overheating, since nothing else seems to make sense. I do realize that this is grasping somewhat at straws and is highly unlikely, but this situation is quite out of the ordinary. And such circumstance can bring about the oddest of answers

 Good Luck,
 Enig

Author

Commented:
to Enig - the problem that prompted me to start this line was similar to someone moving the mouse around to 'wake a system up' then moving purposefully to various icons, buttons, windows, etc.  I would not call it random movement, once I started paying attention to what was going on.  I have also seen the 'infrared mouse drift' that you describe - the gradual drift to the upper right.

to the rest - since changing the router ip settings, i have not seen a reoccurance of the issue.  i have used a usb wireless mouse, a usb wired mouse, and my originial mouse/keyboard combination pretty heavily the last two/three nights, and have been trouble free.

as much as i would love to say 'this fixed the issue', i am not able to say definatively which recommendation solved the problem, or quite honestly, whether the problem is even solved permanently.  however - i am not having the problem now, and that is good enough for me.

thank you to everyone for your help - it is very much appreciated.  props to dcreature and ebjers -

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.