We are in the middle of wars at my friends job. They want the director out and have gone to great lengths to cause it to happen. But the interesting thing that happened in the last 2 days is that 2 of the people involved with the director had their home computers hacked.
In one case, we at the persons house as it was in the process of being hacked. The person was on the phone with tech support in India who was telling them this.
The other one had been using AOL dial up on his 98SE machine. When he booted his machine up, he kept getting messages saying that he had new devices (obviously, the registry had been hacked for that to have happened) and the logon had the name ERIC as the logon, which was not his. Not really sure how the hacker did this one, since this was a dialup directly to AOL.
Wow, not every day we get a real life cyber war to look at. Ok first things first.. in the first persons case:
1. What OS was he running and was it an always on connection ?
2. What tech support was he talking to ?
3. How do you know the hack was going on at the time ?
4. Have you identified what vulnerability the attacker was using ?
5. Have you checked running processes and startup programs ? Anythin unusual ?
In the other guys case, was the login name ERIC a windows login name ? If so, delete the user and change all the system passwords. Once again, check running processes and startup programs. I dunno what the 'new devices' thing is all about though...
What event occured that made you realise that the machines were compromised ? If they're interested in reporting it as a cybercrime, then the systems should just be turned off, remove the hard disks and store them safely. DONT delete anything, or make any operating system changes, no virus scans, patches, nothing.. Don't even backup the hard disks as this will change the last accessed dates for the files. Don't bother shutting down the machine, literally pull the plug.. an attacker could have setup a script to run at shutdown erasing evidence etc.
Now there's something very interesting and certainly not your every day hacking situation.
The situation is a bit messy since you have 2 users, of which one uses an AOL dialup account who had their PC's hacked.
As far as the 2nd person's pc which you guys were in front of it when it was being hacked, you haven't given us any info on the connection he had at the moment to the Internet.. was it broadband or dialup (aol ?).
For the AOL user, well, for someone to hack into his pc, one of the three following must have happened:
During a AOL dialup session,
1) He connected to a server/service the hacker had access to in order to grab his IP
2) The hacker knows someone in AOL who provided him with the IP during that session or the hacker had direct access to the database where the info is logged
3) A program was installed a long time ago and was activated when shit hit the roof
I'd suggest you install one of them spy catching programs to see if there is any backdoor installed on the PC. If you don't find anything, the person must have got in through a backdoor/exploit or the C drive was shared to the public :!:
In the first case, they were already working on the computer from India. Not sure what caused them to determine they were being hacked. They apparently got a call from MSN saying that it was going on.
In the 2nd case, I don't know when the problem happened. He had just started the computer and the login name was already there. This is a 98SE machine. He wasn't sure when it happened, just found that when he booted up the machine, he had the problem. I am actually going to bring the machine home in the next couple of days, to get his data off the machine. He is going to a new machine with XP, anyway - so I can play with the machine a little.