Skip to content

Hello Again

23/08/2012

Yes, I am still alive and still both fiddling and geeking.

It’s been a while since my last post, in part because of someone very
close to me died and it kind of threw everything out of kilter for a
while. In part, because I’ve been damn busy fiddling and install Linux.

For those who might care, I have had a problem with a real, living
and breathing hacker for the last eight months or more. Chinese in
origin (more specific than that I can’t say, but does seem to install
both traditional and simplified chinese locale stuff whenever possible).
in part he/she or they have been making use of my TV adapter cards to
watch, record and download tv. Highly highly skilled and I have to say
other than a few slips up, most people would never even they were
hacking. It was only when they started downgrading Windows Explorer and
compiling their own python code and then ultimately when they
repartitioned my hard drive did I finally realise what was going on.

After literally months and months of trying in vain to thwart their
attacks I’ve more or less given up now. Nothing I have tried has stopped
them. I’m already behind 3 firewalls and my ISP runs me on a non static
IP address. I’ve rebuilt Windows, and Linux so many many many times
these past few months, wasted 1000s of hours trawling through logs and
then tutorials on hardening and security.. It’s all for nothing really.

I discovered that Windows is just staggeringly insecure, Windows 7
default firewall settings are so lax that they might as well not bother
having one.

By default it’s set to:
Incoming connection of unknown origin -> Deny (as you’d expect and hope_
Outgoing allow (which isn’t that unreasonable at first glance)

Looking deeper and you quickly find that the default rules actually
allow incoming IPv4 and IPv6 traffic, DHCP, DNS and http from any
source. When windows asks you if you want to let this or that
application through your firewall, you naturally answer yes.. because
otherwise Firefox, Chrome, Opera, etc doesn’t work. In doing that you
create two incoming rules that say more or less “allow any TCP or UDP
traffic to come in)

Why didn’t Microsoft include some kind of configurability to their
firewall, so when apps request access they could tell the firewall:
“I’m an app, i’d like access going out on this/these IP/UDP ports
and incoming access via this/these” (and only those) Rather than the
blanket “allow access please” to anything and everything.

That aside, as I’ve discovered, with a good hacker you might as well
not bother wasting your time trying to configure your firewall, because
Windows allows anyone who get onto your router, or inside your network
the ability to turn your firewall off and on at will. In fact thanks to
the magic of Windows Remote Management and Windows Management
intrumentation any hacker can tell your computer to turn on or off any
system they please.

for months I would notice that my event logs would log the firewall
going off then a minute later coming back up, Windows profiles,
similarly going down then back up again. it looks totally normal until I
occasionally came across an error in the WMI scripts they were clearly
running. I didn’t notice what they were at first, just thought they were
errors from the OS. But it’s him, them working his very clever magic.

latterly I made sure all non essential services were off, disabled in
the services control panel. Yet was still finding in the event logs
listing for Terminal Services -errors about being unable to start, or
just more commonly about terminal services shutting down. Even though it
was disabled as a service.

i won’t go into details, but I’ve recently learnt how, in part at
least, this is done. it wasn’t a hacking tool I download, it was
actually one of the network tools I had installed on my sub stick as a
portable app that first showed me how simple it was. It scans my network
for computers, and then gives me a list of option, one of which lists
services that I can remotely stop and start. Hey ho wouldn’t you know
that despite being disabled I could turn on remote desktop RDP services
and then connect. With a bit more learning, I could even connect
conncurrently WITHOUT HACKING remote desktop to allow remote concurrent
connections. (the trick is to log into the the other computer and
masquerade as “network services”)

Windows Remote Management allows full and unrestricted access to the
windows shell. it’s naturally off by default but once you know how to
remotely start and stop services it takes 2 seconds to turn it on and
remotely log into another computers command prompt.

Windows Fucking Powershell…the amount of times i’ve come across
Windows Powershell getting invoked to run something was driving me
fucking mad. I know powershell runs a few backend jobs in Windows 7, but
if you can get access to it on another computer, and know how to use
powershell, you can do whatever the hell you want with the operating
system thereafter. I am very unskilled in Powershell myself but I have
seen the evidence.

The hard drive partitioning. You’d think that would be really obvious
to any user wouldn’t you? Now of course it is, it’s the first thing I
would look for every time I booted the machine, but at first I didn’t
really notice. when you’re the only user of the pc, you don’t stop to
see if you hard drive space has suddently dipped by 50gb, nor do you
routinedly check for the appearance of your system drive as .vhd file.
But windows gives you the facility to create a virtual hard drive on the
fly, even if you’re logged in . (see Sysinternals tools for more
details)

there was even one night (it’s nearly always after midnight GMT that
this happens – most of it after 3am GMT) I even managed to capture some
logs of my chinese hacker as he played solitaire on my fucking pc! I was
trying my best to detect his presence and had been monitoring the
alternate streams of files as well as the strings that were stored
within the memory of the operating system. Bear in mind here that
during this particular evening, the machine was doing nothing other than
scanning the network and monitoring the OS, the OS that should in
effect be dormant doing nothing. But up pops some alternate streams
showing Solitaire coming active, showing scoring, showing a game ending
and restarting… all whilst I’m sitting in front of it watching nothing
but the illusion of a default desktop.

I’ve got a cracking log from one evening’s wiresharking as well.
Showing regular traffic from about 10pm dying down at midnight as I got
ready to snoop on my visitor. Around 1am wireshark starts seeing lots of
ACK packets on the network (Acknowledgement packets). An average ACK
packet is tiny, it’s measured in bytes, but within a few minutes, these
ack packets get bigger, 5k, 10k, 50k, in size. Then connections start
appearing from my machine going out via dns, out via https. At the same
time, on my network one of my other computers appears. “Hello” i
thought.. glancing down at the laptop that was supposed to be online and
seeing that it was well and truly powered off (the battery had died and
I hadn’t plugged it back in). Being a machine on my own internal
network, a computer that my desktop knew and trusted, they started
talking to each other – just as they would in any network and of course.
Inside your firewall, the computers in your local network are generally
speaking “trusted”.

Linux.. well 8 months of intense and enforced learning, I’ve realised
that it can be more secure, but is still open to attack. Just last week
I was reading about two new vulnerabilities that had been discovered
with a couple of files. Red Hat warning to be aware that there was
currently no patch for one of them and to make sure that the file was
either locked to all users or removed from it’s default location.
Further detailing how to see if the file might have been used to
compromise a system. 20 seconds of Konsole action later I discover that
this file is on my system, furthermore this file is newer than all the
rest in the same folder, has different permissions than all the rest –
and unlike the rest of 100s fellow files in that folder, was created and
last accessed just a day before hand.

All my linux machines are somewhat hardened. none of them run ssh
(the fascade of security for SSH is just a joke – my chinese hacker can
somehow present a certificate to ssh that allows him to log in without
so much as twitch by the operating system)

The only thing that Linux does do is make things harder for him.
harder because Linux networking is just terrible. I now have 5 computers
in my house running Linux, all connected to the itnernet through my
proxy which in turn connects to my router. All of them online in the
same workgroup and not one of them can see each other on the network.
They could all see my windows machines when they were there, but not
each other – No matter what i have tried in linux they just don’t want
to talk to each other at all (I’ve even turned off the firewalls just in
case they were blocking things) – All the samba settings were the same,
NFS settings match on all machines, but nothing.
The other benefit to stopping him.. Windows records TV, and there are a
plethora of quality PVR based solutions for recording broadcast
television. Linux.. linux has three options as far as I can see and not a
single one of those options works with any of my recording cards
(despite them all allegedly being supported )
Believe me when i tell you that I have tried and tried and tried and
tried. FReevo, Myth, VDR, XBMC PVR, myuthbuntu, xbmcbuntu, FDR, Linhec,
Openelec.. you name it, i’ve tried it and not a sodding thing works.

however, this has led me to question one important thing. The ONLY
thing that is always installed when I reinstall Windows are the drivers
for my tv adapter. The thing my chinese hacker is interested in stealing
is.. television recorded from my tv adapters.. My TV adapters are ….
you guessed it.. Chinese. and they are always connected to my windows
machines inside my network, inside my 3 firewalls. Other than my ATI
graphics card drivers and my wifi drivers, the ONLY thing that is
consistently installed each time. Even windows itself has varied from
OEM recovery partitions 32bit, to a MSDN 64bit home edition, to a
torrented 32bit ultimate edition to a legitamate 64bit retail DVD. I’ve
tried installing no software other than doing windows updates,
installing shed loads of software and it makes no difference.

This hacker can find me wherever I am in the IP address “soup”, can
seemingly appear through my two firewalls, masquerade on my network if
he wishes and remotely access any of my windows machines with impunity –
regardless of windows firewalls, third party firewalls. They never
appar on malware or antivirus because they never install their own
binaries – (although they have installed some I saw that they had
compiled various binaries from source (python and c++).

When you’ve eliminated all the possibilites, the one that remains is
likely to be true.. and all that remains is this one notion that I have
nothing of value worth stealing on my systems, nothing at all. They come
to record and steal television, they’re Chinese and my TV adapters use
Chinese manufactureed hardware and chinese made windows drivers. Could
it really be that these drivers or the firmware itself contains some
kind of back door?

The tv cards I have are `__.

I would be VERY VERY interested to hear from anyone who might also
have either of these cards and be suffering from little chinese
visitors?

 

Addendum. Whilst looking on my router stats last night I noticed this little anomoly:

My router is set to restrict access not by password and by Mac address – This PC managed to bypass both and join my internal network. Looking at the MAC address that it belongs to (assuming it’s not spoofed) it was made in Taiwan. Oddly, the same city as my Kworld TV adapter. (OK everything is made in China, either this China: The “democracy” or the big communist one., but still, seems a strange coincidence don’t you think. Of all the cities in either China it could have come from it was made just down the road (literally according to Google maps) from the Kworld dual TV adapter I own!)

 

if anyone has any suggestions to stop him/her/they just waltzing past 3 firewalls and bypassing my mac authentication and only recently changed wifi password, Please, tell me and as I know you read my emails, and other blog posts:    You, my hacker… can you just stop please it’s really really getting me down and ruining my evenings and enjoyment of technology.

 

Please just stop and leave me alone:

請只留下我獨自一人

请只留下我独自一人

 

(google translate)

Not my pc,not my naming convention and doesn’t shouldn’t have access to my network!

Advertisements

From → Uncategorized

2 Comments
  1. Sidz Wolfenden permalink

    Really curious to hear if you got all this sorted out. It’s quite a tale, and I enjoyed the reading of it. Not that I hope there is more, but is there more?
    🙂

  2. No one of Consequence permalink

    Thanks for asking. no news is good news, and new post added.

Comments are closed.

%d bloggers like this: