Hacked by Karoo

[rob]

I wonder if anyone else here has been hacked by them also.
A couple of months ago i was online at a very odd hour (about 4am)
My mouse cursor was acting strange and files and folders in my documents were spookily opening themselves, i am not too computer savvy but know enough to realise that i was witnessing a hacker.
I woke a friend who is very switched on to this stuff and he told me to do several things that i can't even remember now but it included printing screen shots and going into registry entries and printing some complicated data stuff, i also printed some anonymous logon data (god knows how he got me there as it was 4am)
The next day I rang the karoo techies as advised by my friend and read out all the technical mumbo-jumbo that i had gathered.
I was stunned by the techies reply,
"karoo has a third party monitoring company based in California that monitors traffic for us, by the data you just supplied and the terminal numbers you quoted that was them for sure SOMETIMES THEY GET A LITTLE OVER ZEALOUS"
He then gave me their address and the directors name (it was Japanese)
I took all the printed hard coppies into Hull and dropped them on the desk of the customer services people, that was months ago and absolutely nothing has hapened.
My friend came over and when he went into some mystical places on my PC all the log entries were now corrupted.
Be warned karoo does hack you! I'll never prove it in a court of law and as you can tell by my spelling and grammar i would be out gunned if i took them on.
Stay safe
Rob

[Fastethernet]

If someone were to hack your machine using some sort of remote exploit, it would be highly unlikely they would reveal their hack by taking control of your cursor, they could view and edit all the files on your PC remotely without you ever knowing. I would advise you invest in a good software firewall (even if your router has a firewall already), buy some anti virus software also, NOD32 or Kaspersky are great and always make sure your PC has all the latest updates from microsoft.

I have visited KCOM offices and met the guys who monitor the internet pipe, they are on the look out for illegal activity and all have to be policed checked to the nth degree.

[miken]

Arn't karoo saying that they use a company in Califonia which can monitor their internet traffic to look for illegal traffic, such as someone trying to hack someone on the network.
Not that karoo personally hacked your computer. Or that the Califonia based company hacked your computer.

I think you have just misunderstood them. Also why would you have services enabled which would allow remote people to connect to your computer is beyond me.

Regardless get a decent firewall and antivirus on there!

[rob]

The techie at Karoo made it perfectly clear by the information that i gave him that the console that hacked me was based in the Californian company that "monitors" trafic on their behalf therefore they are an agent of Karoo and thus i was hacked by Karoo.
I am not stupid enough to have remote access enabled.
When i asked who's jurisdiction they were working under IE British law?American law? they had no answer i suspect that their silence and the fact that they readily supplied me with the company name and address is an admission of guilt.
04/05/2007   16:12:40   Security   Success Audit   Logon/Logoff    540   NT AUTHORITY\ANONYMOUS LOGON   YOUR-EVF1TFJ8B7   "Successful Network Logon:
    User Name:   
    Domain:      
    Logon ID:      (0x0,0x12ED5)
    Logon Type:   3
    Logon Process:   NtLmSsp
    Authentication Package:   NTLM
    Workstation Name:   
    Logon GUID:   {00000000-0000-0000-0000-000000000000}"

Event Type:   Success Audit
Event Source:   Security
Event Category:   Logon/Logoff
Event ID:   540
Date:      10/05/2007
Time:      00:01:13
User:      NT AUTHORITY\ANONYMOUS LOGON
Computer:   YOUR-EVF1TFJ8B7
Description:
Successful Network Logon:
    User Name:   
    Domain:      
    Logon ID:      (0x0,0x12B32)
    Logon Type:   3
    Logon Process:   NtLmSsp
    Authentication Package:   NTLM
    Workstation Name:   
    Logon GUID:   {00000000-0000-0000-0000-000000000000}

[rob]

I forgot to mention that i have good antivirus and a bullet proof firewall i said that the mouse cursor was acting strangely at no time was it taken control of just lagging a bit to make me think that some intense activity was taking place.
The system was at idle at the time and the only thing hapening was a live connection to Karoo.
Anti trojan anti virus checks etc showed no known attack.

[stormy]

Is this true? If it is then something is seriously amiss. I really cannot see this being legal. They can monitor traffic sure, but log onto your PC? Hmmm..

[rob]

The reason for the hack was that i had downloaded a legit movie trailer from a bit torrent site, in a letter sent to me they stated that Paramount studios had requested a "check" on me.
As stated earlier i don't expect anyone to believe me as i am out gunned both technically and interlectually and i have to be very carefull not to put myself up as a sacrificial lamb to some bully boy slander law suit.
The fact remains they quoted some things that were on my hard drive.
Karoo hacked me
message ends.
Rob

[Fastethernet]

I know MediaDefender have been involved in all sorts of dubious types of attacks on P2P networks and most recently was exposed for trying to set up honeypot web sites to entrap users. If the American studios are involved then behaviour of this type is not surprising given their lobbying to remove any fair use laws for the statute book. This user will definably be more vigilant and I am sorry to hear about your troubles.

Just going back to the 'Hack' the event log details you have posted seem to suggest no user name was needed to access your PC, does your PC require a user name and password to login locally? You also mentioned in your first post 'files and folders in my documents were spookily opening themselves' was this displayed on your screen?

I am not trying to have a dig at you here Rob, I just want to get to the bottom of this and ensure that if there is anyway to avoid this attack then the users of this forum are privy to that information.

[stormy]

I didnt think Windows XP or Vista allowed someone to log in remotely regardless. Surely they have to be a user on the PC itself, I do not have a password set on my PC for my main user account ( I do for the Logmein user for remote access).

I really do fail to see how I can just randomly connect to remote XP and Vista machines and just log in, without either a third party app like Logmein, Remote assistance being enabled, or the PC being infected with a trojan or back door.

I am going to look up event id 540.

Mike

[stormy]

See:

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=625443&SiteID=17

The last post mentions changing the Group Policy Options. Not exactly sure where that is in XP though, Vista looks a little different.

Looks like its gpedit.msc although not sure how you set it up to reject anonymous logins?

Mike

[marko]

Can anybody explain to the less technical minded of us in layman's terms how we check to see if this has happened to us? and also how we try to stop it either happening again or stop it happening in the first place.

I'm using Vista.

It's pretty worrying to think this can happen without a Trojan or anything like that.

Thanks.

marko...

[rob]

My PC does infact need a user name to log on.
The activity was scary as when i tried to access My Documents i got something along the lines of "access denied this function is currently being used by another user" maybe not the exact words but that's how i recall it and thats what set the alarm bells ringing in my head.
Between the 2 anonymous logon dates i posted i decided on a scorched earth policy and did a destructive format on my PC just incase it was a root kit that i believe there is no defence against as you can see that did no good at all.
What really burns me up is that my boy is currently at war at the sharp end of the combat and he mails me every time he goes out to risk his life to allow these scum bags to flex their freedom.
We now talk in code IE "Dad i'm going dowtown tonight will mail you after the gig"
That really is the pits for me.
Rob

[dylan]

The techie at Karoo made it perfectly clear by the information that i gave him that the console that hacked me was based in the Californian company that "monitors" trafic on their behalf therefore they are an agent of Karoo and thus i was hacked by Karoo.
I am not stupid enough to have remote access enabled.
When i asked who's jurisdiction they were working under IE British law?American law? they had no answer i suspect that their silence and the fact that they readily supplied me with the company name and address is an admission of guilt.
04/05/2007   16:12:40   Security   Success Audit   Logon/Logoff    540   NT AUTHORITY\ANONYMOUS LOGON   YOUR-EVF1TFJ8B7   "Successful Network Logon:
    User Name:   
    Domain:      
    Logon ID:      (0x0,0x12ED5)
    Logon Type:   3
    Logon Process:   NtLmSsp
    Authentication Package:   NTLM
    Workstation Name:   
    Logon GUID:   {00000000-0000-0000-0000-000000000000}"

Event Type:   Success Audit
Event Source:   Security
Event Category:   Logon/Logoff
Event ID:   540
Date:      10/05/2007
Time:      00:01:13
User:      NT AUTHORITY\ANONYMOUS LOGON
Computer:   YOUR-EVF1TFJ8B7
Description:
Successful Network Logon:
    User Name:   
    Domain:      
    Logon ID:      (0x0,0x12B32)
    Logon Type:   3
    Logon Process:   NtLmSsp
    Authentication Package:   NTLM
    Workstation Name:   
    Logon GUID:   {00000000-0000-0000-0000-000000000000}

Going through this message bit by bit then:

Logon Type 3 = This is a Windows network logon event. It's the type of thing that would be logged if someone was trying to connect to a shared folder on computer for instance.

Authentication Package: NTLM = This is the NT LAN Manager. It'd be the authentication method used to connect to your computer.

Logon Process: NtLmSsp = Again, part of the authentication process.

User: NT AUTHORITY\ANONYMOUS LOGON = Well, this is a built in user account. It has a few jobs, but amongst other things it's the account that's used when browsing a computer to find out what's on it.

Down to the bones of it then:

From the information that you have provided, this looks to be an attempt by someone to establish whether or not you have any shared folders which they can access. I can't really say any more than that. I can't say who it was, or if they saw anything..... It isn't related to your cursor moving about as this would happen in the background without you being aware.

It isn't a description of an RDP (remote desktop connection) attempt, as again, you wouldn't see anything happen (you'd simply be logged off from your session.)

I've got to be honest though, you cannot remain safe and secure on the Internet, using Windows (any version) unless you happen to be extremely skilled at managing a Windows desktop (or if you don't use the Internet I guess!).

If security is very important to you, I personally would suggest that you download and try Ubuntu. It's a drop in replacement for Windows which is built on Linux, and thus is very secure. It doesn't cost anything, and the sponsor of this forum 'lefty' does free tech support for it. (Oh, and I use it too!)

Cheers

Dylan

[Fastethernet]

In layman's terms you will never create an un-hackable system, there are various ways to remotely manipulate a windows box especially if you do not use a good password policy. What I mean by that is use a complex password with at least 10 characters which should include upper and lower case, numbers and special characters like ä if possible. Change your passwords regularly and make sure you know your administrators password but don't use that account and apply the same policy to that password. Use a hardware stateful firewall, most routers have them built in, if you are still using a usb modem go and buy a router tomorrow, Netgear DG834G are great value. Use a software firewall, Kerio used to offer an excellent free firewall, I can make this available if people request it, keep up to date with windows updates, use Firefox instead of IE, use a good anti-virus + keep it up to date.

Those event logs could simply be someone accessing some shared files on Robs PC which have no access rights associated with them.

[miken]

Interesting,

So that log doesn't even say who or what location attempted to or connected.

Gotta say, Id use linux only thing that ever put me off is I use my pc for gaming, and not enough is compatable.