I have some wierd 'stuff' going on with a client computer that reminds me of some nastiness I just got through with on mine.

I am curious about a password/encryption/decryption program.

Has anyone heard of $Chicago$ ???

I found this page (it is a google cached page):
chicago+password+encryption (http://www.google.ca/search?q=cache:cwzWM0I9GCsJ:216.103.196.2/cisco/scoring%2520example.doc+chicago+password+encryptio n&hl=en)

Get this!

Current configuration:

Below is a suggested scoring for the router configurations.

The scoring would depend upon which logical diagram you use.

The following uses the Pod diagram using three stations.

Red is what you are judging and blue would be the point totals.


And here is a section of this document:

version 11.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service udp-small-servers

no service tcp-small-servers

!

hostname chicago 1point


!

enable secret 5 $1$MSjM$7ECju4ocqyfr0uoZmQiJM. 1point

enable password skillsusa 1point

!

username Skills password 7 0331682A 2point

ip subnet-zero

no ip domain-lookup

!

ip host chicago 152.125.14.3 152.125.6.2 152.125.9.1 1point

ip host boston 152.125.14.1 152.125.3.1 152.125.9.2 1point

ip host new_york 152.125.14.2 152.125.6.1 125.125.3.2 1point


!

interface Ethernet0

description connected to switch 1

ip address 152.125.14.3 255.255.255.0 1point

ip access-group 101 in 2point


no mop enabled

!

interface Ethernet1

no ip address

shutdown


What the he...?????

Anybody recognise this???

I am seriousely interested here, any help is MONDO appreciated :O)

http://web.abnormal.com/~thogard/nbx/password.html

Curiouser and curiouser

Use the number returned by the malloc command, This will be different than the example above.

Now this will stay set up until you reset the NBX. If you want to free the memory for some reason:
nbx100-> free pa
This will leave the symbol which could cause problems if you use pa ever again. Since it only allocates 100 bytes of memory, it won't hurt to leave it allocated.

For R3 and R4_0:
nbx100-> h2 "!Ofm0uealStEsrx1",pa (this is the encrypted form of 8 zeros)
For R4_1:
nbx-100-> 0x87c4b8("!Ofm0uealStEsrx1",pa) For all:
nbx100-> d pa,10,4


0399c220: 30303030 30303030 00303000 * 00000000.00.*
0399c230: 31787273 00000000 005e1df0 00000000 *srx1......^.....*
0399c240: 00000000 005e1df0 00000000 *......^.........*

You have to look for the null (zeros) at the end.
0399c220: 30303030 30303030 00303000 * 00000000.00.*
^^ ^
The function chicago will encode a password, h2 will decode it.
nbx100-> chicago "MySecret",pa for R4_1 you need to doit with 0x0x87bec8("MySecret",pa)
nbx100-> d pa,10,40399c220: 59733221 31244b57 68623231 * !2sYWK$112bh*
0399c230: 31363352 00000000 005e1df0 00000000 *R361......^.....*

nbx100-> h2 "!2sYWK$112bhR361",pa
nbx100-> d pa,10,40399c220: 6553794d 74657263 00746500 * MySecret.et.*
0399c230: 31363352 00000000 005e1df0 00000000 *R361......^.....*

This is a page about "retrieving" a lost password on a phone network...

Mik - your second post deals with the 3COM NBX 100 Communications System (http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=WEBBNGNBX100COMSYS)and retrieving a password from it. I noticed in the link you provided that the system in question was a very old one too, it referred to 486 computers ... so it is pretty dated.

But, if the system you are comparing this to (your client's) have this type of hardware, then you are on the right track.

Your original post mentioned $Chicago$. Chicago was the codename for Windows 95. You will see that word $Chicago$ in a lot of old INI files from that era. Chicago preceded Win95 Release B also, and I cannot think of anyone who did not upgrade to that version ... if they didn't then they should.

It would help if you can describe what is actually happening to your client's computer. I am assuming this is a serial modem problem maybe ???? Older system too?

Thanks, dodger, I know I have seen 'chicago' used in reference to a program about encrytion breaking, but I may have misunderstood..I am sure that there was something to it, for I do remember the term 'Chicago 95' being used other places. I am a bit jumpy these days though...

The other refernce up there, it WAS a game...for students at a University in a research, or class project haha.
I tracked the IP's to other computer labs around the country, in '99

---------------

My client, also had fax and telephony software installed, but only a NIC card, no modem. What else was unusual was that even though her computer was not connected, in the network connections folder, under properties, it said that it was.

I wiped the MBR with zeros, and reinstalled fresh, after thinking the problem was fixed, only to reappear after they got the computer home...sigh..I hate it when that happens!

I tested it here, rebboting three times, and checking the registry for 'run' settings, and also 'startup' config etc.
So when something comes back after that, it is looking to me like boot sector virus activity, and it is a real major pain to test for that.

I have been reading about all these boot sector infections. They were all the rage on Windows 95 and 98 fAt 16 Y2K viruses.
Curiousely, that was the hiding technique used in my infection the last two months, it was written to a virtual partition that was FAT16...Win ntfs programs have no way to see these, that I am aware of.
It is like a 'new and improved' boot sector invasion, there are starting to be reports here and there, but instead of spreading and causing destruction, these babies are used to install backdoors, and download routing and server software, and they employ multiplt LSASS buffer overflow vulnerabiliest to run commands inside your own computer.
These vulnerabilities are cropping up like ViagrA spam these days, and I think we may have a bit of a security prob with this for a while, maybe until SP2.

It is all mind-boggling for me.
Thanks again, dodger, you do know your stuff, that's for sure :O)))

This is a Win95 machine then?

On the NIC card ... if it is not being used, just disable it in the control panel under System. Or I think you can do that from the Network Connections too.

The NIC card is always connected to the "machine", that does not mean it is connected to the outside world -- unless you are on a DSL line, then you are always connected anyway.

FYI, alot of the major computer manufacturers/vendors will install seprate partitions on NTFS drives that are FAT. I usually remove them as I consider it wasted space. They use it for a variety of reasons.

No, it is WinXP, It is new versions of old viruses being employed to exploit NT systems.
I am like you, alienzhavelanded, I always completely format the drives when they are new. The fat partitions I discovered before also had rotating names like " µ µ "
and: "æ8ø©?æ".
Those are not normal factory partitions, and They have been confirmed by others as hacks.
They have endpoints in the windows root folder at various locations as well, and they are named ".", and "..".
There is always two, that I know of, and when you throw in that access is denied to these, and then that the permissions cannot be changed, then you start getting locked out of auditing priveleges, and then the 'properties' boxes get changed so thast you cannot even access the security settings, and when you monitor the registry in real time and you see "buffer overflow" reported in LSASS and the path to the process is 'Access Denied'...
There is no doubt about what is going on. Zero.

Also, there are messages in some of the code I have found, like "Root Access Success!" that causes me to feel queasy...

It is a hack. The network connections always shows as 'disconnected' when the RJ45 connector is unplugged from the NIC, and in Linux, it will show that also, when loading. So I think strongly that there are suspicious activities present when this is not reading right.

This beasty also got into my Redhat installation before, so I am very, very, very, suspicious these days, even on client machines that just have one or two wierd behaviors.
I have gone as far as shutting down all ports an my router, allowing only 25, 80, and 110, and I have done the same for the Network connection in the control panel thus: Network Connections/ Properties/ Internet Protocal Properties (TCP/IP)/ Advanced settings/ TCP/IP Filtering. Then I have blocked all traffic except for the three ports listed above, UDP completely, and when I click 'OK' to all this, reboot, or whatever, even without rebooting, just go in and check the settings, they are back to default.
I have also used Norton Internet Security, or Zone Alarm Pro, at the same time as all thes other efforts, and set everything to have to ask me permission to go on the 'net, but still this 'pornware' is able to get access, and to broadcast, eventually locking me out of the settings in my software firewalls, or rendering them useless.
I have only gotten rid of this by zeroing my hard drives completely, from the first sector to the last, and then installing fresh.
I just read that these new boot sector viruses can be present and undetectable but for a 3 byte change in the instruction set! Three bytes! I mean HARD TO DETECT.

I thank you guys, you have, and continue to, give me valuable input, and I have weeded out, and learned many things that are normal processes because of your help. But there is some strange stuff going on out there, and it is serious, other people have been helping me as well, and they concur.

I just wanted to let you know the extent of my knowledge here, although it is spotty, and I repeat that all you tell or suggest is valuable, usually new, and saves me grief :O)))

Basically, I am at the point of having to get packet captures, and analyse them in binary, or hex, to find out what is going on exactly.

It is good that I have understanding clients, let me tell you :O)))

Oh, and thanks dodger, for continued offers of help, I ended up wiping everything on my clients machine (like I did mine, grrrr) and it is okay now.
But I am getting some good knowledge here, and we will make a formidable team in the future, guys!

Crapola.

The NIC is used for the Internet then right?

Where did you read about that 3-byte thingy at?

BTW, this is an XP OS ... is it a new machine though, or an older one that was pre-XP? Just curious more than anything that is all.

You are going to be an expert at this crap after a while dude. Consider it on-the-job training if anything ... that way you know there is some benefit coming out of all this (just another way to look at things, eh?)