Hacked By Jeefo Megabit
Hi
A client recently came back to their PC after a couple of days to find a .txt file and about 20 printed pages saying Hacked By Jeefo Megabit.
When they went to log on their name had been removed from the user box and the administrator account name was there instead.
I've searched google, yahoo, mamma, dogpile, Ask etc for this exact phrase but it doesn't seem to come up anywhere (ok it came up once and took me to a Tupac tribute page but I can't for the life of me find it now and I can't recall what search engine I used at the time.)
I'm aware of a trojan called jeefo but I don't think this has anything to do with that (i might be wrong)
I've run a full scan for viruses and had nothing come up, I did run a spyware scan but nothing out of the ordinary came up with that either.
Has anybody heard of this and if so do they know if this is a legitimate hack and how they may have got in, and also how it can be prevented in the future?
A client recently came back to their PC after a couple of days to find a .txt file and about 20 printed pages saying Hacked By Jeefo Megabit.
When they went to log on their name had been removed from the user box and the administrator account name was there instead.
I've searched google, yahoo, mamma, dogpile, Ask etc for this exact phrase but it doesn't seem to come up anywhere (ok it came up once and took me to a Tupac tribute page but I can't for the life of me find it now and I can't recall what search engine I used at the time.)
I'm aware of a trojan called jeefo but I don't think this has anything to do with that (i might be wrong)
I've run a full scan for viruses and had nothing come up, I did run a spyware scan but nothing out of the ordinary came up with that either.
Has anybody heard of this and if so do they know if this is a legitimate hack and how they may have got in, and also how it can be prevented in the future?
To prevent this, minimize the attack surface of the workstations and servers in your client's environment. A defense-in-depth approach (thorough) is best. To do so:
1. Like the previous poster indicates, only allow external access via secure (encrypted and authenticated) methods.
2. Disable unnecessary Windows services.
3. Uninstall unneeded software.
4. Run anti-virus/anti-malware software.
5. Use a client firewall.
6. Use an account with low privileges like a local user or domain user account to perform daily/routine tasks rather than running as an administrator.
7. Control physical access to the workstation as much as possible.
1. Like the previous poster indicates, only allow external access via secure (encrypted and authenticated) methods.
2. Disable unnecessary Windows services.
3. Uninstall unneeded software.
4. Run anti-virus/anti-malware software.
5. Use a client firewall.
6. Use an account with low privileges like a local user or domain user account to perform daily/routine tasks rather than running as an administrator.
7. Control physical access to the workstation as much as possible.
Hire an information security incident response specialist now that will be able to do a proper audit and determine how the intruder got in and how to prevent it which is the only way to prevent it in the future. It's probably not the signature of a known virus or malware, but of a bored teenager.
ASKER
There are only 2 pc's on the network. Protected by a Vigor 2800 firewall and no direct access from the internet, other than port 80. The attack has got to have come from a piece of Malware from an Internet site. The question is what was it. We will revisit the machine today as we have not found anything that allows this attack and are still concerned the tool used is still active. Any further assistance with this specific solution would be gratfully received.
You say port 80 is available to the public - is that a web server or are you allowing remote administration of the Vigor over the internet? Are you certain that you're not exposing port 23 to the web? Is administration of the router protected by a complex password? Do you have UPnP enabled on the router?
If you allow remote admin of the router, you ought to think about disabling that and setting-up a VPN instead. I'd advise you to check the settings under System Maintenance > Management. Also, perform a port scan against your public interface to be certain about what services you expose to the internet. http://nmap.org/download is a good choice and a comprehensive scan such as the following will interrogate any services running on TCP ports either on the router or forwarded through it:
nmap -sSV -p0- --allports -v --reason
If you allow remote admin of the router, you ought to think about disabling that and setting-up a VPN instead. I'd advise you to check the settings under System Maintenance > Management. Also, perform a port scan against your public interface to be certain about what services you expose to the internet. http://nmap.org/download is a good choice and a comprehensive scan such as the following will interrogate any services running on TCP ports either on the router or forwarded through it:
nmap -sSV -p0- --allports -v --reason
ASKER
Port 80 is not redirected, I was referring to the fact that when on the internet the pc is susceptible to malware.
It doesn't sound like that sort of a hack. I may be wrong, but it seems like someone managed to login to the pc interactively as an administrator and for that they would have had some kind of remote access (it may, of course have been someone on the local network, a wireless network if you have one enabled).
Therefore I urge you to answer the above questions in order to satisy yourself that remote access is not possible.
Therefore I urge you to answer the above questions in order to satisy yourself that remote access is not possible.
ASKER
I understand where you are coming from but there is NO remote access in to this network. We have had another customer who had a malware program attacking the server from within. Having isolated the network from the internet we still saw errors in the security log and traced this attack to the CEO's pc (who insisted having Domain admin rights). So this still makes me wonder if remote access has been accessed by a IE security flaw or another piece of malware.
I don't know of any malware which performs an interactive logon, deposits a text file proclaiming a hack and prints 20 pages of text. This is either someone having a joke (someone with administrator credentials) or someone has gained remote access. Most malware is designed to stay under the radar while it performs it's tasks - namely making money for it's authors and distributors.
It's possible that someone has visited a page on the web in which an embedded java applet or flash player file has managed to use UPnP to open-up ports to allow remote access via the Vigor. A port scan against your external interface would show-up any publicly available services and alert you to this.
It's possible that someone has visited a page on the web in which an embedded java applet or flash player file has managed to use UPnP to open-up ports to allow remote access via the Vigor. A port scan against your external interface would show-up any publicly available services and alert you to this.
ASKER
Thanks will do that now.
And if port 80 is not redirected then it can only be the Vigor's admin console on port 80 - this is a bad idea and my original advice stands.
ASKER
The Vigor is on port 8080.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is more like what I suspected, is there an easy way to look for these. We are going on site within the hour.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We supplied the client with a new pc as they were concerned with the incident. We still are no further to finding out how this happened so request the question is now closed. Thanks to all who helped in this matter.
Your client looked to you to assist in answering several questions. While you may not have been able to answer them 100%, you were given some useful information that you likely used in responding to your client. If you feel that you have gained useful information by the individualsposting here, it is only fair that you distribute some points to thoseindividuals.
>> how it can be prevented in the future?
Remove access to the machine from the public Internet. Implement a VPN solution so you are not required to expose internal workstations, servers, services to the outside world that don't need to be.