Need to help a friend - Computer Attacks

[RobCharles1981]

Hello all can any brain boxes help me out with this one?

My Friend has a Dell Allienware aurora R4 and his network keeps getting attacked by unknown hijackers see the screenshots bellow:

There are unknown users that are taking over and modifying his User Permissions and also his Windows Certificates.



This is what he's saying.....

[FONT=&quot]I have 15 years tech experience worked for intel and owned my own buisness making rigs and networks for colleges like healds and ITT techs.[/FONT]
[FONT=&quot]I can say they get in, start turning off everything, in terms of services they run a boot cd from network, this fries all my permissions and gives them it. Also kicks me out of the workgroup making me part of nothing and them admin (even though im admin im not allowed in my own workgroup as they change the pw[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]they used hirens.. they even told me so as they hacked me they got into all my emails and google 25 hard drives.. now 8 machines 5 rigs and 3 laptops. [/FONT]
[FONT=&quot]I run a tight ship, but because they shadow me in memory and use the uefi partition bios to boot from their version of bios, then rape my certs and permissions then go for VC+ java etc..
[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]dvd was firmware fried to blank region and cant read discs still. and trying to fix the firmware leads to check-sum errors. Saying it cant flash it as it doesn't match whatever they want it to. same with bios.[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]only one thing fixed it .. and that was a new motherboard, and hard drive put in by dell. BUT this is alienware (so if you dont know all the stuff about alienware might want to understand that it needs some things most rigs dont) cooling, fan fins on case, cpu timing, all this is controlled by alienware control center.
[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]As of now. I have no security.. nothing. I run no router thought I tried. I have tried many nics, but again once they have the mac address im screwed. they even wake my machine on lan.. so I must unplug it[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]now mind you after hooking the drives up via sata to usb.. all files are still there and not touched. so it seems they copy certain things to the network, then allow me to see only what they have locally and its what they modify[/FONT]
[FONT=&quot]PS there is no way to return the pc at this time to backup or restore. these options were on dells partition which was erased. It cant be recreated unless I am dell or have the files. Its not apart of the windows partitions. This is alienware dell partition for RESPAWN and such. its gone.[/FONT]

[FONT=&quot][/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]I used hirens to boot and nuke.. wiped the drive.. it still found windows.. asking to repair. Yet the drive was empty. booted to hirens again Via usb, and there was a flipin memory drive mapped. 160mb with very few windows files and other such things[/FONT]
[FONT=&quot]boot was set to \z: i dont have a z: meaning they mapped a network drive as part of the workgroup.
[/FONT]

[FONT=&quot][/FONT]
[FONT=&quot]Can anyone help?????[/FONT]

[FONT=&quot][/FONT]
[FONT=&quot]Would be grateful for suggestions.....[/FONT]

[FONT=&quot][/FONT]
[FONT=&quot]Thanks[/FONT]
[FONT=&quot]
Rob
[/FONT]

 

[FTLN]

You need to wipe all your machines mate, bios reset and flash to latest. Lock down your routeurs ports also and only let through what you need.... Thats some bad shit going on...

 

[RobCharles1981]

I will tell him....

He doesn't have the recovery partition on his system he erased it and I cant figure out why Allienware/Dell didn't provide him with recovery CD's ?

 

[alpenwasser]

[FONT=&quot]dvd was firmware fried to blank region and cant read discs still. and trying to fix the firmware leads to check-sum errors. Saying it cant flash it as it doesn't match whatever they want it to. same with bios.[/FONT]

If I understand correctly, he can't read DVD's/CD's since the firmware on his
optical drive is shot?

As of now. I have no security.. nothing. I run no router thought I tried.

Where's the firewall if he does not run a router? Surely he has a serious
firewall somewhere? Apologies if I've misunderstood this part.

I used hirens to boot and nuke.. wiped the drive.. it still found windows.. asking to repair. Yet the drive was empty. booted to hirens again Via usb, and there was a flipin memory drive mapped. 160mb with very few windows files and other such things[/FONT]
boot was set to \z: i dont have a z: meaning they mapped a network drive as part of the workgroup.

So, to be clear: He wiped the drive and after that his windows installation
was still there, asking to be repaired?

I suggest looking at some cryptographic drive wiping software. There are
some Linux live disks that are great for this. Take the HDD out, put it into a
different machine (and make sure to disconnect every other HDD in that
machine, just to be sure), boot a live disk and erase that sucker cleanly.

If that does not work, they have most likely tampered with the HDD's
firmware (I'm not an expert on that, but I suppose if they can change
the optical drive's firmware, they can also mess with the HDD's).
In that case, get a new HDD. Make sure your machine is clean (firmwares,
BIOS) before plugging that HDD in.

You need to wipe all your machines mate, bios reset and flash to latest. Lock down your routeurs ports also and only let through what you need.... Thats some bad shit going on...

I would also suggest this approach. Although personally I would probably
never trust any component in that machine again and just replace the
entire thing altogether.

I will tell him....

He doesn't have the recovery partition on his system he erased it and I cant figure out why Allienware/Dell didn't provide him with recovery CD's ?

Honestly, if somebody can get into my system and screw with me on this scale,
whether or not I have a system restore CD is secondary. If needed, tell him
to go buy a new copy of windows and install that.

Apologies if I've misunderstood anything, but this story just seems a
bit convoluted to my tired mind.

 

[RobCharles1981]

Thanks for this info I will link him to the forums.

 

[alpenwasser]

Thanks for this info I will link him to the forums.

Yeah that would be helpful to get more info on the situation. Communication by
proxy is always kind of tricky

 

[Kaldire]

i arrive

I am here.
this is the one who has been hijacked many times

 

[alpenwasser]

Hi there, and welcome to the forums!

Alright, going over Rob's first post, I have a few questions and/or clarification
requests. As a side note, I'm neither an absolute network expert nor a security
professional, but there is some stuff I know, so I'll do what I can.

• They are running their own software from your UEFI partition?
• I'm not quite clear how many machines have actually been affected. Just the
  alienware or seven others (you mention 5 rigs and 3 laptops)? Or is the Alienware
  merely the entry point and they spread from there over the network to access
  the remaining machines?
• You cannot flash the DVD firmware?
• Same with M/B BIOS?
• You are not running a router? If so, where's your firewall?
• If you are running a router/firewall: Have you found out how they penetrated
  that?
• They copy files, but so far have not deleted anything?
• The Dell system restore partition has been erased?
• You've tried to wipe the drive with hirens, but it somehow was not successful?
  Is it possible they have manipulated the system drive's firmware?

Apologies if some of these are a bit redundant, but I think it's best to avoid
misunderstandings when giving advice, especially with something this important.

Anyway, if you really cannot flash the BIOS of that machine and if the system
drive has been compromised I would seriously consider binning the affected
components (meaning the only thing I'd keep would be the case, the PSU and
the cables). Even if you find somebody who claims to have fixed it (and they
might very well legitimately believe so), I would probably still no longer trust
anything that is being run on that machine.

If you do not want to throw the components away (and I understand that you
probably wouldn't want to), but cannot flash the drives and motherboard, I
don't really see another possibility than sending it in to Dell for replacement.

Same goes for any other affected computer.

Also, if you're really not running a firewall/router, get one now. If you do have
one, make sure any open ports are closed and the admin password is no longer
set to the factory one (not to insult you, but so many people don't change
their router's password).

 

[Kaldire]

hi

• They are running their own software from your UEFI partition?
  Originally YES, dell alienware has 2 windows stock partitions(not including the OS)
  and dell alienware runs 2 other partitions. the UEFI is how it came to me, and yes this was compromised. Not only did they hit the uefi partition but they somehow linked their drive in sync with mine so that when it boots my bios once read boot from network drives only no local. To me that means it sees im on.. checks if they are on the network if so it boots from whatever they want it to
  whether its a hidden partition or an already used on UEFI or recovery or if its a network drive. I DID also try legacy mode (not to nice on a 3tb drive but I did try)
  still the bios is a bit miffed and the only way I did fix it was to have the MB and HD reinstalled by dell. and I bet it was still in memory or somehow replaced by network as the NEW hd that was blank, asked me to repair windows.
  not reinstall
• I'm not quite clear how many machines have actually been affected. Just the
  alienware or seven others (you mention 5 rigs and 3 laptops)? Or is the Alienware
  merely the entry point and they spread from there over the network to access
  the remaining machines?
  
  it will be the 8th rig. 26 seperate hijackings. aka Some more than once
  one of them was plugging a hd into it and booting as slave BUT this effected my drive when I even clicked on it as it was caching the drive for faster searches
  so i have 26 hard drives, 11 of which are dead locked 4 of which are linux partitioned with gpart to 9-12 partitions on the hd
  some are like the old one and just had 2 partitions (not including the os partitions for uefi etc)
• You cannot flash the DVD firmware?
  I can but it gives a checksum error. saying it doesnt match the one that is there.
  googled the error and found bad bad stuff read below
• Same with M/B BIOS?
  Bios is flashed with the latest bios revision. and I can reflash it. BUT it doesnt do anything. some how on boot either via network or uefi, they disable my access to it.. i cant even change some options and most things dont even run right
  IE it was set to RAID when I DONT RUN raid, and legacy after i had just seen it as UEFI ( then the hd only shows 2tb)
• You are not running a router? If so, where's your firewall?
  I have a router and tried it but it didnt seem to help its why I had rob as for help
  I wanted to be sure im secure before getting on and getting raped again
  I have an old netgear router but its wireless+cable and I loathe any wireless anything
  I ran peer guardian, even TOR, and a few tracers on the jackers and found their ips matched my local comcast center in sacramento
  so yea
  not china or anything its so personal darn x and bad drugs
• If you are running a router/firewall: Have you found out how they penetrated
  that?
  I think somehow with my mac address, then bad forwarding, its just me logging into fb or emails that let it right in.
• They copy files, but so far have not deleted anything?
  nothing was ever deleted just edited. and even those pictures and vids and such seemed fine when running checksums over sata to usb but if i dared plug it as slave uh oh. and yes autoplay was OFF
  now some of my pics and videos still say UNDF or cant read.. not sure if its when I interrupted the hijacking. I found folders of zips and rars that were all 14mb and being sent in small packets on my workgroup which they kicked me out of yet I could still use the net and access my pc but not do anything else. SHADOW COPY exists(ed) hisss
• The Dell system restore partition has been erased?
  100% erased. I have zero revovery options. with alienware you have 2 recovery partitions one for respawn one for standard bs
  both are fried and even dell said they cant be remade and Id need a tech to redo the files and send out a drive .. but they dont do that so. I need like you said a new machine.
• You've tried to wipe the drive with hirens, but it somehow was not successful?
  Is it possible they have manipulated the system drive's firmware?
  I did wipe the drive with hirens.. but upon reboot the windows cd said REPAIR WINDOWS? so I ran hirens again and sure enough there were still 2 paritions only 100mb ish in size.. not big enough for windows.
  one of the files was a boot ini telling it to boot to NETWORK drives \\ or z:\ which didnt exist hirens makes x:\ for temp but not z: i had x and z if this makes sense
  
  so I usb sata to another machine.. ran the cd again.. wiped the f er and got rid of that partition.
  what it seems is that they are just storing stuff on my hard drive locally. editing it right there and letting me see only what they want me to
  
  a file said to boot .. hit enter and skip his password and sync to see all his files
  on my end sync is off.. but this was a sticky note they started telling me how they got in and who they were and what programs they used to edit pics and partitions..
  full on brutal
  nice but a holes at the same time. Even taught me how to edit video on cable boxes (they also did that too)
  and my phone jacked but thats another forum im sure

I have far more info let me know if I didnt hit anything in there im a bit fluish so I might not reply right away.
Thank you for the awesome reply.

kal-

 

[alpenwasser]

Holy crap mate, you are really getting screwed over

Saying this is the 8th rig, getting a new one won't even solve the problem i would
guess. They'll just simply penetrate that one as well.

I'm not completely up to speed on the legal situation, but if these guys are really
from within the U.S. and have also jacked your phone, I think if I were in your
situation I would probably involve the police at this point if that is in any way an
option.

This cannot be bloody legal, and they are clearly displaying very high criminal
energy (that's actually a legal term here describing how much malice and intent
went into the planning and execution of a crime, don't know if you have something
similar over there).

If you can't involve the police possibly hire a private investigation company that
specializes in this sort of thing. I know that will be very expensive, so I can't tell
if that's an option, but this problem does not sound like something you can
just get rid off with a system wipe or something like that.

The motivation and know-how these guys are displaying calls for some seriously
professional countermeasures imho.


Also, best wishes regarding your health.

 

[Devo234]

ide have to agree with alpen in this being a legal matter. they are obviously very intelligent people with some serious equipment to be able to do this kinda thing and it begs the question how many other people are they doing this too.
and is this just practise for a much more serious attack?
this might have much more serious implications and it needs to be dealt with quickly

 

[RobCharles1981]

Saga still on going...

I'm trying to see if he can re-install Windows on his system I asked him if he could delete the Partitions and start over this is what he said.....

Gparted and part magic dont work, they see 2 partitions.. OS and UEFI .. there are no other partitions (which is a problem for alienware)
there needs to be 4 (2 for dell 2 for the OS and boot)
gparted was meant for LINUX.. just fyi and most of the old drives were turned into linux file system so I cant even read them.

know of a way to change all partitions back to win os from linux recovery from hirens?


I told him about the Acronis TI Software to back up his system he's paranoid.... I said to him "The attackers won't muck up the images if your not online"

yes they can

ask the tech forums, unless U back up on dvds or usb drive.. they can get in
just due to permissions and certs.

:huh:


Any way around this????

 

[litchu]

this most likely is not legal indeed. However what i wonder is what do hackers find interesting in your computers? 26 hijacking's seems alot for someone who doesnt have anything interesting?

 

[alpenwasser]

Any way around this????

Sorry mate, I'm definitely not qualified for that. But I would really, strongly suggest your
friend contact the police or whichever legal authority is responsible for this sort of thing.

And regarding the technical side: I think it would probably be best if a professional took a
look at this. No matter how competent a person you find on any forum, as long as they don't
have access to your machine they will always be rather limited in what they can do, if only
because they can't really run their own diagnostics and such.

 

[alienware]

Your ISP is legally bound in the USA to act on your behalf.

I would contact your ISP and ask to speak to some one high up.

I had issues years ago with threats and so on. I used to work on an emulator and I had what thousands would have killed for.

In the end I just contacted my ISP and they issued a subpoena on my behalf.