MetaChat REGISTER   ||   LOGIN   ||   IMAGES ARE OFF   ||   RECENT COMMENTS




artphoto by splunge
artphoto by TheophileEscargot
artphoto by Kronos_to_Earth
artphoto by ethylene

Home

About

Search

Archives

Mecha Wiki

Metachat Eye

Emcee

IRC Channels

IRC FAQ


 RSS


Comment Feed:

RSS

19 January 2007

mudpuppie got rootkitted?
Sounds like it's either
a) technically complicated
b) painful
c) a private matter.

Which means I'd have to be a 1337 kinky doctor to know what you're talking about, right?
posted by wendell 19 January | 04:46
So I was chatting with mudpuppie on IRC tonight, and suddenly some guy called mustard_ale logs on. Server query reveals he's logged on from mudpuppie's IP; mudpuppie doesn't use wifi. He starts chatting with us in broken English:

i'm sorry, i'm new to metchat. mud, i am on the east coast.
mudpuppie i am not spoof you.


I pinged his box and established that he uses mIRC, while pups uses chatzilla, and that his computer clock is at least 2 seconds off from pups'.

So I figure there are maybe 4 alternatives here:

1) Mudpuppie's rootkitted and this guy's in her box, pwning her files, and somehow monitoring her connection and using her box as a proxy to get onto IRC.
2) The IRC server is erroneously reporting mustard_ale's IP address as being identical with mudpuppie's, for no apparent reason; mustard_ale is innocent.
3) Mudpuppie is playing a joke on me.
4) Someone else is playing a joke on us, perhaps mustard_ale, by spoofing her IP to the IRC server. Hard to do.

I suggested that mudpuppie run spybot s+d as a precaution. But if someone's pwned, who knows whether they see what you send them, so I decided to post this too.

Anyone have any other input/opinions about this? Am I being overparanoid? Does someone know this mustard_ale? Is it common on IRC to spoof the chanop's IP address?
posted by ikkyu2 19 January | 04:49
If mudpuppie playing a joke on you, it worked.

If a machine has been victim of a rootkit, nothing less than nuke-and-pave will return it to trusted status. Attempting to discover a rootkit, on the machine that has been rootkitted, is even problematic, because quality rootkits have privilege manipulation on their side, and typically already successfully hide from most commercial scanners and toolkits.

Spoofing IP addresses for IRC clients, even the channel op, is trivial for many kinds of man in the middle attacks, and if mudpuppie's machine isn't itself compromised, but she's connecting with an actual routable IP address through a typical ISP, it's pretty easy to find some other machine on that ISP's subnet to be the man-in-the-middle.

There's no reason not to be running stateful packet inspection firewalls, doing NAT, these days, when such devices cost so little, and protect so much.
posted by paulsc 19 January | 05:10
oh my. what is this rootkit? i fear it now. it sounds so cyberpunk. will it render me so i'll never jack into the matrix again?
posted by shane 19 January | 09:27
"rootkit" comes from "root", meaning the most basic and most powerful access level for a given operating system. "kit" comes from the fact that these "root access attack devices" come in "kit" form for stupid, non-hacker "script kiddies", whose hacking expertise amounts to the dragging and dropping of an automated script file into a terminal window.

Root is originally is used to describe only unix or linux access levels, but it spread to include Windows, even though windows technically doesn't have "root" level access. However, it's been used to describe a method of gaining control of the Windows OS that surpasses even Administrator, as many windows rootkits have system-level hooks and access that make detecting or controlling that access from even the Admin account impossible.

Modern rootkits modify and control the system from the point that the PC begins loading the OS, just after the hardware/BIOS boot, so there's usually little you can do to modify or defend yourself against the rootkit from within the operating system. It usually means a complete wipe and rewrite to restore control.

Spybot S/D will not help, neither will antivirus programs. (Panda or NOD32 might catch it, but probably not since most rootkits look just like the code that runs the operating system.)

By the way, since I've got the pulpit: DO NOT USE NORTON AND MCAFFEE BECAUSE THEY SUCK SO VERY BADLY AND THEY'VE SUCKED BADLY FOR 5 OR MORE YEARS DO NOT USE THEM! REPEAT, DO NOT USE THEM! PLEASE SPREAD THE WORD. Norton and McAfee have both been pretty much ineffective against modern viruses for years. Their virus tables are out of date, their threat detection methods are ancient and they will slow your computer down by 50-75% to provide this ineffective protection.

I *STRONGLY* recommend NOD32 antivirus from ESET. It's fast, it's light, it's super strong and it's cheap. It kills and intercepts spyware, malware and driveby installs before they happen, detects and cleans spyware, malware and viruses like a dream. It detects stuff that Norton and McAffee won't ever even see. Others recommend Panda antivirus, which is also very good, if not stronger, but it doesn't run as fast and as light as NOD32 in my experience.

Ok. Rootkit removers.

Wikipedia's rootkit entry has a list at the bottom which lists some removers.
Microsoft has a rootkit revealer, but that looks like a techie tool.
F-secure has some anti-rootkit resoureces.
Sophos looks like it has a good, easy to use rootkit remover here, which is also recommended by the wikipedia article.

Good luck.
posted by loquacious 19 January | 20:16
By the way, shane? That incestual midget horse porn is some pretty messed up stuff, man. I forwarded some of it on to your mom.
posted by loquacious 19 January | 20:18
Bunny! OMG! || More Rachael Ray Bashing?

HOME  ||   REGISTER  ||   LOGIN