Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being Hacked


  • Please log in to reply
6 replies to this topic

#1 Shooefly

Shooefly

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:35 AM

Posted 12 January 2008 - 08:46 PM

I've been watching my security logs, security settings etc. for some time as I suspected I was being hacked. Yesterday I noticed some of the security settings had been changed so I put them as I thought they should be, including disabling use of a smart card.
Today, I find that the user rights assignments have all been completely changed, to such a degree that it appears a template was inserted. Every single right has this ''name" and many variations of it assigned to it: *S-1-5-21-823518204-1078145449-725345543-1006

I have attached the exported file concerned.

How can I undo this and have sole administrative control over this computer again?

It is a Windows 2000.

Unfortunately, I know enough to know someone's messing with things, but not enough to know how to fix it/catch them.
Thank you so much for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:35 AM

Posted 13 January 2008 - 10:03 PM

:thumbsup: hello Shooefly ( dang if I don't love that pie)
What type of connection is this Cable etc, wired or wireless...
Do you have a firewall and or a router?
What are your Antivirus and spyware tools.
It does appear to be a hack. That said you Would be best served to keep this PC disconnected from the internet til fixed. Consider any Passwords or financial info stored within to be compromised.
I am looking further into this so in the meantime please provide requested info.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Shooefly

Shooefly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:35 AM

Posted 17 January 2008 - 02:23 PM

Dear Boopme:

Thank you for your offer to help! I'm only on every few days as I have to fight my kids for internet time.
The computer in question had only AVG free, which I uninstalled and downloaded F-secure. It found nothing.
I can't even find the Windows firewall on this Windows 2000, sp 4.
There has been detailed tracking going on inside the computer logs ever since it was given to my children (after I poked around and set up the logging that is--when it came, event logging was not even turned on).
I want to find out who is doing this, but I can't even find Windows firewall in it via control panel or via a search. I will have to install Norton's firewall from Rogers (we have rogers high-speed lite cable); I know you can do Netstat -a or something but I don't quite know how.
I am attaching the detailed tracking in the event logs...after I made changes to the user rights/security and services permissions there were a whole lot of failed access attempts...but now I can't find that one, maybe it's mislabelled. Had to break it into parts, as it was to big to upload. I also have the .evt files but I don't know how to break those up and make them small enough. Could try to zip them later I guess.
I think I've answered all of your questions now, if not I'll be back.

Thanks again for your help!

And I like the quote at the bottom of your post, by the way. That's one of my favorite books!! :thumbsup:

Attached Files



#4 Shooefly

Shooefly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:35 AM

Posted 17 January 2008 - 02:28 PM

:huh: hello Shooefly ( dang if I don't love that pie)
What type of connection is this Cable etc, wired or wireless...
Do you have a firewall and or a router?...


Hello Boopme,

I think I replied in the wrong place and it won't notify you so here's a little note....thank you for offering to help. I posted a reply in the thread under your message :thumbsup:

#5 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:04:35 PM

Posted 18 January 2008 - 11:36 AM

Download psgetsid from here
Unzip the file and copy to Windows\system32
Open command prompt
psgetsid [Your account name here]

compare the bit between the S-1-5- and the last group of digits.
Reply, stating whether they're the same or not. If they're different, DO NOT POST THE FULL NUMBER, just reply and say that the numbers don't match.
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#6 Shooefly

Shooefly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:35 AM

Posted 13 February 2008 - 01:40 PM

Hi Tom,

Thank you for your help. I downloaded and attempted to copy it into Winnt/system 32 and it said there was one there already, modified in 2000. So I tried to use command prompt with the existing one, but it won't work...keeps saying "error querying account: no mapping between account names and security ID's was done."

I typed at the command prompt, psgetsid [USER-blahblahblahlettersandnumbersblah\Family] and that didn't work, so I tried just [Family] and that didn't work either...took out the space in front of bracket too, with no luck. 'Family' user account has administrator privileges.

Should I copy the downloaded file over the old one and try that? Or should the old one have been good enough?

Thanks.

:thumbsup:

#7 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:04:35 PM

Posted 14 February 2008 - 05:03 AM

Sorry, the brackets were just there to show that that text should be replaced.
Try:
psgetsid Family

and then follow the previous instructions.
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users