Hacked during Steam!

[wassup]

A couple of days ago my best friend bought HL2 retail CD's
(i've hade the DVD since it came out ;0)
Now he does not have the internet but bought the game anyway because like me we have been big fans since the first HL.

So yesterday he came to my house to use my modem (56k) and connect to steam and activate ofline mode.

also you should know:
1. his computer has never been online
2. he has a default install of windows XP home
3. he connected in the normal way (no gateways or anything like that)

After about an hour of patching steam a strange windows message came up (i'll post a screenshot later). The message was asking for us to patch windows (obvious fake) we used the "X" to get the hell out.

Steam had stopped updating (looked in task manager) so we rebooted the machine.

We continued the steam update but it seemed not to be doing anything.

This is when we looked in "task manager (ctrl-alt-delete)" again and found some doggy programs.

1. Yahoo.exe (most likley a trojan)
2. CCinfo??? (cant rember but was also downloading)
3. winlogon (cant rember but was also downloading)

We killed the first two then i looked in the usuial trojan places in registry local>run & user>run. I killed yahoo in both these places but we decided to leave the other two in and just use ctrl-alt-delete to kill them.

Steam continued for some time and then we had a normal windows error message (the one where you click "do not send" message to microsoft)

After this the system appeared to crash

We restarted and finished doing all the things that you need to register with Steam. We had not recieved the acceptance of the CD key but i guessed that this would take a few hours for steam to verify. But the problem was that it would not even let him play online after all this.

On HL2 (online) he got the message "This game is currently unavaliable please try again at another time" we restarted the computer and still got this message.

We wasted 4+ hours trying to allow my friend to play HL2 and in the end he has decided to format and start again (i lent him my modem to use at home).

This hack was most likley nothing related to steam (unless they were trying to hyjack his account).

But my question is how much of an IT professional do you have to be to play HL2 - Another big fan that cant play but has paid.

Seriously, eventually someone will crack HL2 and then Steam should send all the retail buyers a patch CD so we dont have to go online - i believe they owe it to us.

I believe the ports he got hacked over were 135 and or 445
As i get more info i'll post it!
Sorry for a long boring post!!

 

[JackZ]

never been online b4 ... pop up? mmm...sounds like spyware. Your friend could have pick it up from somwhere else.

Steam appeared to do nothing? if you have program like Netlimiter you can take a peek. Steam actually downloading like crazy, esp. updating. In my case that is.

Yeah, it seems like your friend comp is invested with trojan spyware and could be virus too. ^^; never online doesn't mean you will and can not pick it up elsewhere.

Ah, the warez version was out from day 1. It seems that it can run offline without steam. Plus the performance on warez version is far better. No thanks to steam and valve.

N again by now you should have realised that steam is really crappy. Valve ... i dunno, do they?

Basically, you dont have to be a highly computer literate to be able to play HL2. It just HL2 is way too buggy.
Rumours are the HL2 itself is design to criple Nvidia cards. In favour of ATI.

Oh well, screw it.
This is a boring post too.

Btw, just finished the game. Bleh, i should say. nothing more. The last patch give me read memory errors more than i could have asked. I can't play for more than 5 minutes. So, basically i was pissed, turned on the cheat and beat up the last 3 levels. The End. I'm going to uninstall this piece of crap now.

 

[carl_hewitt2000]

ok let me see if i can explain a few things for you.
i am professional a I.T technicion (even if i can't spell it right, lol)

one recent surverys i recall seeing say that a default installed xp computer once placed on-line (expeciarly on broadband) is comprimised in about 25 minutes.
which doesn't mean u were hacked or infected during your time on-line, but its just the stastistics i last saw.

so if he is going on-line he and u should both have firewalls and anti-virus, i personally prefer norton for both.

ok and
1. Yahoo.exe: this is a messenging program, very common and not a trojan. see if he had yahoo messenger installed.
2. CCinfo???: if i recall this is a normal process in windows
3. winlogon: and this one i am sure is a normal process, its part of the log in system as its name suggests.

now regarding the patching messages you got, those are part of xp update system, they are important updates to improve your securirity on-line and fix bugs, its a good idea to do what it asks and get them.
normally this comes up as a small orb at the bottom right of the screen near the time.

btw the system probably crashed because u stopped winlogon and so on.

and hl2 is not playable as i understand it UNTIL you get verification back from steam saying u can play thats why he cannot play. if he goes back on-line at some point once he gets the e-mail from them saying it should be done and ready for him.

nothing u have described sounds like a effect of a hack or virus and sounds more like you over reacting to normal system operations and steams methods of working.

you friends system sounds perfected normal and i do not think he needed to format.

o and don't mess around with your registery unless u have backed it up or know exactly what u are doing in there.

btw none of this is intended to get at eather of you, just filling u in best i can

 

[=)PoLo(=]

Just use a free firewall (Sygate, Tiny) and a virusscanner (AVG) next time and it saves you some trouble....

 

[Pi Mu Rho]

The life expectancy of a unpatched WinXP install online is around 4 minutes.

 

[carl_hewitt2000]

The life expectancy of a unpatched WinXP install online is around 4 minutes.

last i heard was 25mins but yes in reality its normally that close.
god i have seen so many people call me begging for help and i turn up and they have broadband but have no protection and have done no patching and then they wonder why their computer is now a porn server, lol

 

[onearl]

so if he is going on-line he and u should both have firewalls and anti-virus, i personally prefer norton for both.

Agree that antivirus and some sort of firewall is required. I have to say that Norton is overhyped overbloated junkware, though.

1. Yahoo.exe: this is a messenging program, very common and not a trojan. see if he had yahoo messenger installed.

Yahoo messenger has no executable named yahoo.exe. It is a trojan. http://www.pestpatrol.com/pestinfo/y/yahoo__trojan.asp

2. CCinfo???: if i recall this is a normal process in windows

It's part of the Agobot worm. See http://uk.trendmicro-europe.com/smb...il.php?id=66695&VName=WORM_AGOBOT.ABV&VSect=T

3. winlogon: and this one i am sure is a normal process, its part of the log in system as its name suggests.

Yes. And it is also the name of an executable that is part of the NetSky worm. http://antivirus.about.com/cs/allabout/a/netskyd.htm

Get your facts straight before attempting to give advice would you, please. IT tech? Gawd... I hope you don't work at my bank or something.

 

[carl_hewitt2000]

you have a bit of a mouth on you for someone with only 2 posts.
but regardless of that factor keep in mind i was only trying to provide some assistance and just because i am not upto date on all virus and trojan risks on-line does not give you the right to insult my knowledge of I.T.
i more then welcome people enlightening me to knowledge i lack but there was a far politer way you could pass on that information.
if you work in a bank then i can imagine that keeping track of all risks is high priority to you given the data stored by banks.
however i have as of yet not been required to fill a position where i was responsible for the network security of a company thus i have not had to focus so heavily on such risks.
and given that i have recieved no complaints from any customers regarding my work for them i am rather proud of my record.

so i thank you for your imput but next time show some respect.

 

[ApHeX_]

And the downside is you have to go online to patch up

If you've got a firewall on a CD somewhere install it and then it should block any intrusion attempts, or let him connect from behind your PC using Internet Connection Sharing, that way he's at a less risk of getting attacked while he's validating

 

[wassup]

I am also in IT but which port is the exploit that i should kill
135 and or 445?

And whats a good program that just kills ports on XP (wish i was using linux)

 

[carl_hewitt2000]

I am also in IT but which port is the exploit that i should kill
135 and or 445?

And whats a good program that just kills ports on XP (wish i was using linux)

not sure enough to say anything about the first question, but will try with the second.

well i am not in a position to check and be sure but i THINK the one that comes with xp has the ability to block ports.
not advising you use the xp one for anything other then a temp till you get a better firewall.
but i believe ones like zonealarm offer port blocking but this is purely guess work tilll i could check, nor am i suggesting use zonealarm for long term i personally found it a tad of a dissapointment after a while.
but apart from that my knowledge of other firewalls is a tad limited but i am sure someone can provide you with detailed information on that.

i could easily be wrong but something in my mind is telling me there might be ways to close ports properly outside of a firewall system but for the life of me i can't recall the specific information.

btw i do hope that my advice has been at least of some help to you

 

[onearl]

so i thank you for your imput but next time show some respect.

Oh, come on. You told someone that at least two, and possibly three worms/trojans on his friends' system were harmless processes. Just because I only have two posts on this board does not mean I don't have a right to call you on that BS!

To tell someone that running processes are harmless, normal parts of windows when, in fact, you did not know what they were is just foolish. And dangerous.

That is why I have so little patience for posts such as your previous post. Respect? How much respect did you show the original poster if he got a false sense of security from reading your words?

 

[carl_hewitt2000]

Oh, come on. You told someone that at least two, and possibly three worms/trojans on his friends' system were harmless processes. Just because I only have two posts on this board does not mean I don't have a right to call you on that BS!

To tell someone that running processes are harmless, normal parts of windows when, in fact, you did not know what they were is just foolish. And dangerous.

That is why I have so little patience for posts such as your previous post. Respect? How much respect did you show the original poster if he got a false sense of security from reading your words?

BS is telling someone false information intentionally.

what i did was provided unintentially inaccurate information based on what information i had at the time and what i could recall off the top of my head.

as for the orignal poster gaining a false sense of security, it would be unfortunate if he did because of inaccurate information but part of why i posted in his thread rather then contacting him in a private message which is what i would have prefered to do as i am not much of a public poster is so that if my information was inaccurate then someone would be able to:

ONE: watch my back and correct me politely about the information, and
TWO: if i was wrong i would then be able to learn from the information provided by the people who corrected me and thus expand more on my own knowledge as i learn best though experience's and asking questions.

your input regarding my error has expanded my knowledge, thus it has benefited myself and anyone who has viewed these posts and i consider that a good and healthy thing for everyone.

anyway lets not turn this thread into a arguement one, lets just try to provide this guy with whatever help we can.

 

[wassup]

Not that this is a cat fight but i'm with onearl obviously
yeah i did check the processes on the net before i posted
and yeah when i killed winlogon the machine did get FKed up but only slightly


But the question stands what port?, what exploit?and whats the easiest way to stop it. Because the kids out there need to know (i can always format but they cant!!)

 

[The Dark Elf]

Not that this is a cat fight but i'm with onearl obviously
yeah i did check the processes on the net before i posted
and yeah when i killed winlogon the machine did get FKed up but only slightly


But the question stands what port?, what exploit?and whats the easiest way to stop it. Because the kids out there need to know (i can always format but they cant!!)

Yeah but to tell em they need to go on the net and find out (unless its in a mag but who buys those these days )

 

[onearl]

But the question stands what port?, what exploit?and whats the easiest way to stop it. Because the kids out there need to know (i can always format but they cant!!)

You're right. You still haven't gotten an answer to your question! As to the question of what port. I would suggest that you rearrange the question. Instead of asking "What should I block?" your life will be much easier if you ask "What should I allow?" IOW, Block everything and allow only what you need. A hardware firewall that does stateful packet inspection is the best thing for that, IMO. Google "stateful packet inspection" to learn why it's a good thing.

You can also get "personal firewall" software that runs under windows and blocks ports, as well as serving as an "application gate" which only allows known, approved apps to connect to the Internet. The "Windows Firewall" in XP-SP2 does this, but is pretty limited as far as configuring rules. (Better than nothing, by a long shot, though) As for me, I use Kerio personal firewall when I must run windows. Not the newer versions... they're trying to evolve into some sort of firewall/pop-up-killer/adware-watcher suite, and the last I saw it, I ran away screaming. Forutnately, the 2.15 version of their personal firewall is still lean, mean, and still freely available from: http://download.kerio.com/dwn/kpf/kerio-pf-2.1.5-en-win.exe (Just be sure, if you use it, to turn off the option to "animate traffic on systray icon". It can interfere with graphically intensive things like games, causing a brief "hitch" once per second... not good.)

And if your friend doesn't have antivirus... he needs to get some. There's AVG, which has a somewhat limited free version (can you tell I'm a cheapskate?) http://www.grisoft.com/us/us_index.php It does background scanning, and has a decent rep.

Hope there's something you can use in all that rambling.

ciao,
Jonathan

 

[DSDchemE]

"Wassup"-

Since winlogon.exe IS a vital process in Windows XP (and other NT systems), you should check where it's running from before ending it. (Run a search for it in you harddrive or use MSConfig.exe)

"Note: The winlogon.exe file is located in the c:\windows\System32 folder. In other cases, winlogon.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager."

More Info:

http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/
http://www.neuber.com/taskmanager/process/winlogon.exe.html

I highly recommend against ending any system process unless you know exactly what it is and what it does. You could possibly cause irreperable harm to your computer by ending the wrong thing.

http://www.liutilities.com/products/wintaskspro/processlibrary/
has descriptions of most processes and can help you decide if they're necessary.

 

[wassup]

Well here is the answer ;0)

There are exploits for both 135 & 445 and also worms that are able to exploit both (without any user interaction).

I have started to use Kerio and it is good, only requires moderate port and software understanding (good for kids).

I have attached a picture for the rule that i used to block 135 and i created an identical rule to block 445

Apart from that all you have to do is allow IE and Steam

Why does my ISP want to connect to 445 (i'm still on the net) what is the legitimate use of 445? - i'll look it up later if i get no answer.

So i believe my box will be relativly safe, what other default XP ports need to be blocked?

 

[onearl]

There are exploits for both 135 & 445 and also worms that are able to exploit both (without any user interaction).
I have started to use Kerio and it is good, only requires moderate port and software understanding (good for kids).
I have attached a picture for the rule that i used to block 135 and i created an identical rule to block 445

I don't think you need to set those rules specifically. Just make sure you have selected either "ask me first" or "deny unknown" on the "Firewall" tab of the configuration dialog. (Right click the systray icon... administer.) Then click the "advanced" button, on that same page, and the "Microsoft Networking" tab on the resulting dialog. Depending on whether or not you have a LAN, it should be obvious what to do here. Then go to Sygate's portscanning service and see what you get. Do make sure the IP address that page reports is actually you, though.

Why does my ISP want to connect to 445 (i'm still on the net) what is the legitimate use of 445? - i'll look it up later if i get no answer.

That's Microsoft-DS... it's part of Windows Networking, though what it does, exactly, I couldn't say. If you don't have a LAN, I think you should be safe blocking all connections to this port. Why your ISP would want to connect to your box on that port is a mystery to me. You sure it's not another customer on your ISP's service? That's a popular port for attack via trojan, etc. (And don't be too quick to blame the user on the other end. He's probably infected with a trojan or some such.)

So i believe my box will be relativly safe, what other default XP ports need to be blocked?

If you did the quick scan at the Sygate link above, and everything came back "blocked", I would think you'd be good to go. You can still do the other scans on that page, if you're unsure.

HTH,
Jonathan

 

[fathom]

talking off ports what ports does hl2 + cs:s use?

 

[fathom]

Then go to Sygate's portscanning service and see what you get.

:bounce:
Nice, i'm all blocked. Thats a really useful site!!!! :cheers:

 

[coleco]

wassup I'm going to answer your questions as specifically as I can:

Firstly, yes, the most common exploits are on port 445 of an *unpatched* windows system. There are others but this one seems to be very common

The reason why this happens is that by default windows is installed with a host of 'services' or programs running that open ports to the internet. In essence they are acting as servers on the net. The good news is that (to answer the question in your last post), the service that opens port 445 is basically useless. In fact all the services that run open ports on a default windows install are useless and can be shut down. This page:

http://www.ntsvcfg.de/ntsvcfg_eng.html

will tell you more information about shutting down the useless services. Basically this happened because microsoft are total retards, and leave everything *on* by default, even though for most services, if you don't know what it is, you don't need it. I just ran the little program that shuts off all the services. In the prog I choose 'hardened' or whatever the highest level is. Everything I need to do works fine.

If your computer is patched up to date then you *shouldn't* get hacked anyway, but once you shut off the services then you'll notice in your firewall that the troublesome ports, ie, 139 and 445 are no longer 'open'.

(There's also some common expoits through IE, which is why you should make sure that's updated too,

So running a windows system *patched up to date* and with all the default services switch off is pretty safe, even without a firewall because the exploit software is randoming looking for unpatched systems, that's why systems are comprimised so quickly.

Unfortunately most people have other programs running that open ports, ie, IM progs, steam, irc, kazaa.... so there's a potential that someone can hack you through an open port of third party prog. That's part of the reason why I don't like Steam, because it leaves an open port.

I still use a firewall anyway because I'm paranoid. Most firewalls are basically useless if someone really wants to hack you. If you are comprimised will someone hyjack a thread, ie, make the exploit look like another harmless program. At this point the problem is with *data going ou*, ie, keyloggers or other monitoring program, the purpose of which is to steal your personal information like credit card numbers or, um your halflife 2 key. While most firewalls do an okay job of filtering incoming packets, they do really crappy job of filtering outgoing packets.

I happen to use tiny firewall because it has thread protection and a IDS and it's very secure. Kerio in my experience doesn't have as good security but for normal net surfing and such it's fine, and easier to configure. Also I like outpost firewall. The security is okay and it's *very easy to configure*.

That's another issue with firewalls is configuring them properly. You want to configure a firewall with only the access a particular prog actually needs, rather than just clicking 'trust' and giving every prog full access to the internet. That's why I like outpost firewall because it has presets for tons of major programs, and is very easy to configure properly.


Hope that helps!!