RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
I signed up a new client today. A Web site rebuild. Actually, I pitched him a while ago, and he surprised me today and said he was ready to buy.
So I closed the deal, got the deposit, and visited his existing site to refresh my memory about what exactly I intended to do... and Comodo gave me a heuristics warning about a possible exploit. But because I knew the guy was legit, I let it pass...
And WHAM! It started downloading malware to my PC faster than I could stop it. Comodo caught most of it, but the one I allowed promptly started installing drivers before I could shut the machine down. When I restarted, none of my anti-malware tools would open.
I booted into ERD for a while and started manually deleting stuff, but NTUSER.DAT and a few other critical files had already been infected; and when I restarted again, there was a lot of suspicious hard drive activity before the GUI came up; so I hard shut down again. Sure enough, when I checked again in ERD, a lot of the stuff I'd just removed was back.
When I'm getting paid to do this stuff, it's a lot more fun that when I'm not; so I decided to pull the system drive and scan it on another machine, and just boot into the most recent clone that Casper made, which was only a few days old. I scanned it to make sure it wasn't infected, and then transferred the few things that had changed since then (email, mainly) back onto the cloned drive from the system drive that had been in use when the machine got infected.
So in effect, I just juxtaposed the two drives, and will use the former primary drive as the cloned backup for now, and replace it the next time I have nothing to do (it's about three years old, so it's due). It works out, actually, because the now-primary drive is much newer.
I also managed to bork the RAID array for my data storage (probably because of the hard shutdowns), but that also was no big deal because I had that cloned, as well as backed up online. (As it turns out, however, one of the drives in the array was intact, anyway.) I'll rebuild the array tomorrow. I'm too tired tonight.
I also had the guy's current Web host shut the site down, and they also cleaned it. Turns out there were some iframes with code pointing to malicious servers in five different countries. Most likely my new client's machine is infected with some sort of scraper or keylogger, because the server logs showed multiple successful logins using his password, which was strong. I offered to drive up to his place (kind of a long trip for me, but it's slow anyway), but he said he's just going to do a reformat / reinstall.
Now all I have to do is work off the extra caffeine I consumed, and I'll be fine.
-Rich
So I closed the deal, got the deposit, and visited his existing site to refresh my memory about what exactly I intended to do... and Comodo gave me a heuristics warning about a possible exploit. But because I knew the guy was legit, I let it pass...
And WHAM! It started downloading malware to my PC faster than I could stop it. Comodo caught most of it, but the one I allowed promptly started installing drivers before I could shut the machine down. When I restarted, none of my anti-malware tools would open.
I booted into ERD for a while and started manually deleting stuff, but NTUSER.DAT and a few other critical files had already been infected; and when I restarted again, there was a lot of suspicious hard drive activity before the GUI came up; so I hard shut down again. Sure enough, when I checked again in ERD, a lot of the stuff I'd just removed was back.
When I'm getting paid to do this stuff, it's a lot more fun that when I'm not; so I decided to pull the system drive and scan it on another machine, and just boot into the most recent clone that Casper made, which was only a few days old. I scanned it to make sure it wasn't infected, and then transferred the few things that had changed since then (email, mainly) back onto the cloned drive from the system drive that had been in use when the machine got infected.
So in effect, I just juxtaposed the two drives, and will use the former primary drive as the cloned backup for now, and replace it the next time I have nothing to do (it's about three years old, so it's due). It works out, actually, because the now-primary drive is much newer.
I also managed to bork the RAID array for my data storage (probably because of the hard shutdowns), but that also was no big deal because I had that cloned, as well as backed up online. (As it turns out, however, one of the drives in the array was intact, anyway.) I'll rebuild the array tomorrow. I'm too tired tonight.
I also had the guy's current Web host shut the site down, and they also cleaned it. Turns out there were some iframes with code pointing to malicious servers in five different countries. Most likely my new client's machine is infected with some sort of scraper or keylogger, because the server logs showed multiple successful logins using his password, which was strong. I offered to drive up to his place (kind of a long trip for me, but it's slow anyway), but he said he's just going to do a reformat / reinstall.
Now all I have to do is work off the extra caffeine I consumed, and I'll be fine.
-Rich
