F
Flar30n
Guest
This post is directed at Valve. I am not a security expert myself, and all of this information may be blatantly obvious to many people, but just trying to help however I can. Any/all responses welcome.
Hello, I am a member of the gaming community who has seen your posts and hopefully can help some with ways to patch/fix/learn how they got into your machines.
After seeing some of your posts (http://www.shacknews.com/onearticle.x/28641) regarding what tools were found on your machines used by hackers, they seem very common to me. One of my good friends is a security systems analyst consultant for large companies, and he frequently discusses seeing similar tool packs used by warez kiddie hackers. Typically they will use some public domain exploit to get in and use tools very similar, if not identical, to the ones that you have found on your machines.
If you want some examples of this, just go onto any major IRC network (for example, EFNET, irc.efnet.org) and do a /list to see all the big channels. Almost all of them are the major XDCC channels that use hacked IRC bots to distribute copyrighted software. It should be strongly noted that I am not suggesting these groups that run these IRC channels had anything to do with it at all, and it is highly unlikely that they did, but I am using them as a common example of who typically hacks in a manner similar to one that you described in your posts/updates.
Once these groups hack your machine, my friend has found that typically they will dump the password hashes of your machine to a file (using tools such as pwdump2 or pwdump3 - also publicly availble), and then use a tool such as LC4 (L0pht Crack 4, a tool used to brute force the windows hashes to determine the machine passwords).
After this has been accomplished, and they have all the passwords from that single machine, they tend to proceed to attempt to use the username/password combinations that they have gained from your single machine to attempt to access other machines. This is easily doable with the windows "net use" command - for example, doing "net use \\MACHINENAME\IPC$ /user:MACHINENAME\USERNAME PASSWORD" will allow them to use the IPC$ share of that machine. If that works, they typically can access the ADMIN$ share, and then any drive shares (C$, D$, E$, etc) that are made by default with windows (WinNT3, WinNT4, Win2K, WinXP, all service packs for all releases).
Once this has been accomplished, there is a large variety of tools that can be used by these hackers to execute programs on your machines (SERVICES.EXE, FIREDAEMON, ETC.). They will tend to start them up as SYSTEM by adding a service to the machine and then starting it, and this will grant them access. I suggest that you look for unidentifyable services, odd ports open, and other things along those lines. I would also suggest you check for FTP servers (a very common one used by the hackers that my security friend has had expierence with is Serv-U FTP Daemon, due to the fact that it only needs its exe and ini file in order to run on the machine, and you can execute files with it).
Also, if you use a DOMAIN based windows network, its likely they gained access to your PDC/BDC's, so all passwords on those machines need to be changed, and again, they too should be formatted.
As to how they initially gained access, I cant help but wonder if it had something to do with the 2nd Microsoft RPC Vulnerability. The date that the vulnerability was released into the public domain is almost identical to the date that you claim to have been first compromised (9/11/03).
So, steps to secure current machines, prevent in the future:
#1) All passwords should be changed on all machines, and the machines should be completely formatted.
#2) Firewalls should block all non-necessary ports on all machines, particularly ones relating to netbios since this is the most common form of attack used by hackers, especially since the new RPC bugs.
#3) All machines should be constantly patched to new holes.
#4) In addition to simply changing passwords on all machines, NO MACHINE SHOULD USE THE SAME PASSWORD AS ANY OTHER MACHINE.
#5) All passwords should be greater than 8 characters in length and include non-alpha-numerical characters such as (*@#&%/][{}\)(.
#6) Potentially eliminate the use of PDC's/BDC's all together.
Ultimately, the only way to fully protect against this is to remove all of your development computers from any network connected at all to the internet. If this is not possible it is not possible, but really, its the only way.
Anyway, that is my two cents about what likely happened, as it seems it was a kiddie hacker and thats typically a popular kiddie hacker way. I suggest that if your routers logged intra-lan or even extra-lan traffic, u look for "net use" commands. Also, any server running TermServ can be accessed w/ the login/passwd combinations, so you also may want to check TermServ logs if any were kept. Just trying to help, maybe you realized all of this already, maybe you didnt, but it's what I'd check for from what I've heard you say so far.
Good luck finding the bastards.
Sincerely,
Me
Hello, I am a member of the gaming community who has seen your posts and hopefully can help some with ways to patch/fix/learn how they got into your machines.
After seeing some of your posts (http://www.shacknews.com/onearticle.x/28641) regarding what tools were found on your machines used by hackers, they seem very common to me. One of my good friends is a security systems analyst consultant for large companies, and he frequently discusses seeing similar tool packs used by warez kiddie hackers. Typically they will use some public domain exploit to get in and use tools very similar, if not identical, to the ones that you have found on your machines.
If you want some examples of this, just go onto any major IRC network (for example, EFNET, irc.efnet.org) and do a /list to see all the big channels. Almost all of them are the major XDCC channels that use hacked IRC bots to distribute copyrighted software. It should be strongly noted that I am not suggesting these groups that run these IRC channels had anything to do with it at all, and it is highly unlikely that they did, but I am using them as a common example of who typically hacks in a manner similar to one that you described in your posts/updates.
Once these groups hack your machine, my friend has found that typically they will dump the password hashes of your machine to a file (using tools such as pwdump2 or pwdump3 - also publicly availble), and then use a tool such as LC4 (L0pht Crack 4, a tool used to brute force the windows hashes to determine the machine passwords).
After this has been accomplished, and they have all the passwords from that single machine, they tend to proceed to attempt to use the username/password combinations that they have gained from your single machine to attempt to access other machines. This is easily doable with the windows "net use" command - for example, doing "net use \\MACHINENAME\IPC$ /user:MACHINENAME\USERNAME PASSWORD" will allow them to use the IPC$ share of that machine. If that works, they typically can access the ADMIN$ share, and then any drive shares (C$, D$, E$, etc) that are made by default with windows (WinNT3, WinNT4, Win2K, WinXP, all service packs for all releases).
Once this has been accomplished, there is a large variety of tools that can be used by these hackers to execute programs on your machines (SERVICES.EXE, FIREDAEMON, ETC.). They will tend to start them up as SYSTEM by adding a service to the machine and then starting it, and this will grant them access. I suggest that you look for unidentifyable services, odd ports open, and other things along those lines. I would also suggest you check for FTP servers (a very common one used by the hackers that my security friend has had expierence with is Serv-U FTP Daemon, due to the fact that it only needs its exe and ini file in order to run on the machine, and you can execute files with it).
Also, if you use a DOMAIN based windows network, its likely they gained access to your PDC/BDC's, so all passwords on those machines need to be changed, and again, they too should be formatted.
As to how they initially gained access, I cant help but wonder if it had something to do with the 2nd Microsoft RPC Vulnerability. The date that the vulnerability was released into the public domain is almost identical to the date that you claim to have been first compromised (9/11/03).
So, steps to secure current machines, prevent in the future:
#1) All passwords should be changed on all machines, and the machines should be completely formatted.
#2) Firewalls should block all non-necessary ports on all machines, particularly ones relating to netbios since this is the most common form of attack used by hackers, especially since the new RPC bugs.
#3) All machines should be constantly patched to new holes.
#4) In addition to simply changing passwords on all machines, NO MACHINE SHOULD USE THE SAME PASSWORD AS ANY OTHER MACHINE.
#5) All passwords should be greater than 8 characters in length and include non-alpha-numerical characters such as (*@#&%/][{}\)(.
#6) Potentially eliminate the use of PDC's/BDC's all together.
Ultimately, the only way to fully protect against this is to remove all of your development computers from any network connected at all to the internet. If this is not possible it is not possible, but really, its the only way.
Anyway, that is my two cents about what likely happened, as it seems it was a kiddie hacker and thats typically a popular kiddie hacker way. I suggest that if your routers logged intra-lan or even extra-lan traffic, u look for "net use" commands. Also, any server running TermServ can be accessed w/ the login/passwd combinations, so you also may want to check TermServ logs if any were kept. Just trying to help, maybe you realized all of this already, maybe you didnt, but it's what I'd check for from what I've heard you say so far.
Good luck finding the bastards.
Sincerely,
Me