Posted 30 December 2009 - 02:42 PM
Kind of an unusual question here, not sure I am in the right forum exactly, but any help would be immensely welcome. My primary aim here is not to clean my computer but to find any details possible about the hacker.
My computer has been properly hacked, and I think I know who the culprit might be. In real life, I've had anonymous obscene text messages and a lot of hassle from someone who lives in the same apartment building as me, and I'm beginning to think it's possible that he might also be the hacker.
At the time my computer was infected, I did not even have an internet connnection. This thing has survived two clean installs of Windows XP. There seems to be a Host Protected Area partition on my hard drive, and I think the rootkit is hiding there.
In windows, different process listing software give totally different reports of which processes are running. A remote access autodialer has been installed which I can't get rid of - it reinstalls itself moments after I delete or rename it. Bluetooth seems to have also been hacked but it's difficult to tell. If I connnect to the internet, an IPv6 tunnel is immediately set up via Teredo (which I cannot disable), but I cannot find where this tunnel is going to - the only addresses I can find associated with this are my own and the Teredo servers. Wireshark also shows that three IGMP router requests are also made as soon as I connect to the internet.
I found a log file that shows that someone has migrated their entire desktop via the "Remote Desktop" desktop facility, which I did not enable. The log file includes WinAmp, Odigo, Photoshop and all sorts of other software that I don't have. I can't find any trace of these files on the computer though. I have an (empty) registry entry for "T-Mobile web'n'walk" which is a mystery to me, I've never owned a T-Mobile phone.
So, I started running Linux from a CD (without connecting to the internet). This worked fine for a while, and then strange things started to happen. The boot logs show that Bluetooth is being started at boot time, in multicast mode, with the message "Starting experimental networking services...", and it is using three serial ports (similiar to the three IGMP connections made under windows, possibly?). I also found an invisible XConsole process running with the user "sysadm" which isn't a user I set up.
I guess my questions would be these:
1) Can anyone think of a legitimate reason why Bluetooth would enable itself and configure itself to multicast mode? Or is this the smoking gun I think it is? Given that the prime suspect lives in the same building as me, is it possible he's hacked in via Bluetooth?
2) Can anyone tell me where to learn about IP Tunneling? I think the details of the IP address of the endpoint of the tunnel must be there on my hard drive somewhere, but where would I start to look?
3) I'm about to buy some software called "Drive Spy" that is able to find hidden partitions and undelete files. It's quite expensive and I was wondering if anyone had any experience of using this and can tell me whether it's any good or not? Or if there is any other forensic software I might consider as well? I'm a total newbie with this and don't really know what I'm looking for.
Many thanks to anyone who can point me in the right direction to find out more about any of this. I am prepared to spend the next six months reading every sector of my hard drive with a hex viewer if I have to (!) but would appreciate any pointers as to where to start or any info about using forensic software if anyone knows about it...