hard drive downloaded

[foltywiren]

How do I find out what was taken and how?
how do I insure this doesn't happen again?

An outside source has just download my hard drive, I caught this midway through, and reset my computer. My fire wall did not stop this, or even notify me. I found out when trying to open files and was told that they were already in use by another user. I know my documents folder and a couple of others were accessed and being copied. I don't know exactly what was got. I have been developing a video game, some of those documents may have been among those copied. several have already been copyrighted, but many are new or updated. I am printing them now to send registered mail. that will cover me until I get the new copyrights.

How do I find out what was taken and how?
how do I insure this doesn't happen again?

[wige]

First, a few questions: Was this a work computer or a home computer? In other words, was the computer connected to a business network, or to a network in a residence? Second, was it connected via Ethernet or wirelessly? If connected wirelessly, does the network you connected the computer to have a wireless segment that is able to communicate with the wired segment? Do you have a software firewall installed on the computer? (And no, Windows Firewall does not count)

[blitzen]

Are you absolutely certain files were downloaded? Were you monitoring your Net traffic?
Maybe the OS got confused and your files accidentally got the "in use" tag. This might happen when you're doing complex stuff (developing ir debugging video games).

Does your computer have a LAST ACCESSED date?

TO PREVENT:
Get a fingerprint reader. You can store the files in your "safe" accessible by a complex password or simply your fingerprint. Try this: Microsoft Mouse and Keyboard Hardware – Fingerprint Reader and Compare Prices and Read Reviews on Fingerprint Reader Scanners at Epinions.com.

Good luck! Hindsight is worthless.

[Clint1]

First what kind of firewall were you using? Trash it and get another. KIS7 or Comodo is about the best, ZoneAlarm Pro is good but is a resource hog. You should also use a router with a built-in hardware firewall.

Turn off File and Printer Sharing and make sure no folders are shared. That's not needed on a typical desktop PC.

I don't know how it would be possible to find out what was copied. Frankly I'm a bit shocked that something like this could even happen. You could check your firewall logs and look at the activity for that time and data transfered and possibly find the IP.

Obviously, scan your PC with a GOOD AV program, and SpyBot, AdAware, SpyWare Terminator, and all the rest. You could have a Trojan or other malware infections.

[artglick]

I think someone's been watching too much TV!

Could someone really copy the contents of a hard drive without depositing some malware on the machine first? Does it really happen that way anywhere else except TV?

If you were rifling the content of the drive, wouldn't you make sure NOT to lock the files and hence reveal your presence?

I'm with Blitzen (your time of year, eh?). In the absence of some serious piece of malware, it's more likely a OS problem.

[deepsand]

How do you know files were copied? That a file was accessed means only that it was opened; such does not mean that it even read, let alone copied.

Many legitimate applications open files, in anticipation of their use, without ever doing more.
Likewise, many are opened and read, without your being consciously aware of such.

For example, if files are backed-up, they have been accessed. Sweep your machine for malware, and every file not excluded from those to be scanned is accessed!

As for a file being unexpectedly inaccessible owing to its already being open, the most prevalent cause of such is the failure of an application to have properly closed it during the last access; i.e., a system error.

Finally, it is not the job of a firewall to indiscriminately block data transfers.

[wige]

Technically, I could do such a thing, so it is possible. (Not the word I used is could, not would...) It is, however, difficult. Especially if you are not on the same network as the target PC. As far as being on the network, I once watched a hacker exploit a hidden admin share (specifically, C$ - passwords are there for a reason, people) to force the target computer to share previously unshared folders and grant write permissions so he could download all the files in that directory. While downloading the files, they showed up to the user as "locked" because the target OS was a single-user version (WinXP Home in that case - Pro would have simply forced the file to only open in Read-only mode).

Now, this does not prove that the files were definitely being downloaded - antivirus software could lock files during a scheduled scan, for example. Typically you would only notice this with large files if you tried to open the file after the scan has already started, or if you tried to save an open file that is being scanned. You may be able to check the computer logs for unauthorized remote access, and you should probably reinstall your antivirus software and rescan the computer.

[Clint1]

I wonder where the OP has gone.....??

[deepsand]

Quote:

Originally Posted by Clint1

I wonder where the OP has gone.....??

I FTP'd him to one of my online file repositories, and deleted the original.

[simonbuxton132]

I suspect the files where being virus scanned, or some other processl; and perhaps he hsa realised the real reason? Scary stuff though if it was real...

[mikmik]

Why would anyone want to copy the files on another computer? It doesn't make sense.

Here is a fantastic firewall: NetVeda - Firewall, Bandwidth Management, Parental Controls, and Network Monitoring
Go here: https://www.grc.com/x/ne.dll?bh0bkyd2

I got perfect score with netveda. I am running it right now, it is the best firewall I have ever used.

[weegillis]

Quote:

Originally Posted by foltywiren

How do I insure this doesn't happen again?

Once we rule out faulty wiring, er, uh, ...

The same rules apply in all circumstances that have always applied. An ounce of prevention is worth a pound of cure.

` Secure your computer on the network: hardware, software, smartware
` Scan and Clean. Find what's there, if anything, and get rid of it.

Best not to trust any software residing on your machine at present. Clear your paging file and turn off System Restore before scanning for viruses, worms, etc. If possible, perform scanning and cleaning in Safe Mode.

Use an online service to perform initial scans, and go from there with additional software. Especially look for root-kits. Spywareinfo dot com will have links to reliable vendors for this purpose. If they cost a little, it will be worth it.

` IF ANY bad stuff is found on your machine, uninstall and reinstall all your protection and prevention software, inlcuding firewall. Those programs may have been compromised. Best to retrieve the newest version from the original vendor and install straight-away. Uninstall, don't upgrade.

` Clean your registry at each step, especially after uninstalling and cleaning. **

` Check all running services and disable or set to manual any that pose security weaknesses. **

` Turn system restore back on when the machine is clean and ready for reinstallation of programs.

` Make sure all your p&p software is set properly and running at boot up.

` Clear your logs so you can monitor current activity more closely. What's done is done. Start from here, and forget the rest.

` Cold boot and enjoy. Rescan frequently until you're comfortable everything is holding up.

** NOTE: Get proper technical advise before tampering with Registry or Services.

[Clint1]

Quote:

Originally Posted by mikmik

Why would anyone want to copy the files on another computer? It doesn't make sense.

??? Uhhh....credit card #'s, bank account #'s, logins and password info, personal confidential info, etc., etc., etc.....pictures of that office party in '82 that got really out of hand. LOL.

Quote:

Here is a fantastic firewall: NetVeda - Firewall, Bandwidth Management, Parental Controls, and Network Monitoring
Go here: https://www.grc.com/x/ne.dll?bh0bkyd2

I got perfect score with netveda. I am running it right now, it is the best firewall I have ever used.

Most firewalls will past those tests at GRC. Search for CPIL Suite, and run it, it's much tougher to pass.

[weegillis]

Outpost Pro.

If you don't like 4++. 3.5 is stable and reliable on XP Pro machines. Best, hands down.

[Clint1]

If you want to get into a discussion on the best firewalls, Comodo and Zone Alarm Pro has been at the top at most firewall testing sites. I use KIS7 right now. Comodo is even free.

[weegillis]

My bad.

It's just that the OP problem boils down to just that, a firewall problem.

Any kind of excessive network activity should have been reported, and blocked. There is no way a hard drive can be transmitted over the network without some kind of flags being raised, unless of course all the user has is windows firewall. In this case their ISP should have intervened.

Quote:

Originally Posted by http://dl2.agnitum.com/docs/firewall/OutpostProDatasheet.pdf

As web-borne attacks now constitute the majority of malware attacks, a solution that’s specifically designed to counter online threats is essential.

Regardless the means, any solution is a good one.

[wige]

Quote:

Originally Posted by weegillis

Any kind of excessive network activity should have been reported, and blocked. There is no way a hard drive can be transmitted over the network without some kind of flags being raised, unless of course all the user has is windows firewall. In this case their ISP should have intervened.

Even with the most stringent of firewall rules, it is possible for an attack like this to succeed. For example, imagine the target computer is on a home network, with antivirus and a firewall. There is a second system on the network with antivirus and a firewall as well. Antivirus is up to date and the firewalls are properly configured. As you browse the web on your computer, you come across a recently hacked web site that profiles the computer and immediately uploads the appropriate virus to install a backdoor and delete the antivirus definitions. Because the virus is contained in normal Internet traffic, the firewall does nothing to stop it, and the virus is new and has not been added to the definitions in the antivirus software. The backdoor establishes an outgoing connection to the attacker's own server, mimicking Internet Explorer or Firefox traffic so the firewall again does nothing to stop it. The attacker receives a message from the web site indicating the IP address that was compromised and logs in to the backdoor connection and manually changes the firewall rules to allow the backdoor to accept incoming connections. At this point, the computer is wide open. In addition, data on every computer on the network is open to compromise if file sharing is enabled.

There is no absolute solution to prevent malicious activity on your network. The best you can do is have a multi-tiered security system - antivirus, antispyware, software firewall, hardware firewall, all with proper precautions installed - to minimize your risk as much as possible.

[deepsand]

Quote:

Originally Posted by weegillis

It's just that the OP problem boils down to just that, a firewall problem.

It has not yet been determined that the OP even has/had a problem.

Unless and until such is determined, issue re. cause(s) are sepculative at best.

[nelsonez]

Here's a suggestion .... buy a Macintosh!

Seriously if you have a Macintosh get a little utility program called "Little Snitch". It informs you all of kinds of network communications coming into and going out of your computer. Very eye opening.

But if you have a Windows machine all I can say is pray alot.

[wige]

Windows computers have a similar utility (netstat) built into the operating system. Macs are just as vulnerable in many cases to network based attacks. The supposed security benefits of the Mac exist only because it is used on only 10% of desktop computers. As adoption of the OS increases, security will decrease as it becomes more of a target of hackers. The exact same thing happened with Firefox. Now that adoption has reached an estimated 15% of the market, vulnerabilities are being detected more frequently as attackers are seeing it as a viable target.

[Clint1]

Quote:

Originally Posted by wige

......As you browse the web on your computer, you come across a recently hacked web site that profiles the computer and immediately uploads the appropriate virus to install a backdoor and delete the antivirus definitions. Because the virus is contained in normal Internet traffic, the firewall does nothing to stop it, and the virus is new and has not been added to the definitions in the antivirus software........

This is why KIS7 is so good. Even if some malware isn't yet in its def's, it has some nice heuristics analyzers and integrity controls that report any suspicious activity.

[Clint1]

Appropriately, I just received this:

A new article has been added to WindowSecurity.com:

Title: Analyzing a Hack from A to Z (Part 1)
Author: Don Parker
Link: Analyzing a Hack from A to Z (Part 1)
Summary: Within this article series we will both pull off a hack, and analyze its methodology. By understanding a hacker's methodology one can better defend one’s networks.

[deepsand]

Quote:

Originally Posted by nelsonez

Here's a suggestion .... buy a Macintosh!

Seriously if you have a Macintosh get a little utility program called "Little Snitch". It informs you all of kinds of network communications coming into and going out of your computer. Very eye opening.

But if you have a Windows machine all I can say is pray alot.

And, this has what to do with the original post?

Newsflash: There is no such thing as an unhackable machine.

Mac users unwittingly rely on "security by obscurity;" i.e., the installed base of Macs is too small to be of interest to most hackers. As Willy Sutton replied, when asked as to why he robbed banks, "Because that's were the money is." There's little money to be had from hacking Macs.

[weegillis]

Quote:

Originally Posted by deepsand

It has not yet been determined that the OP even has/had a problem.

Stipulated.