Safe Speed attacked
Discussion
On Monday morning this week at 4:00am something unusual happened to my main computer.
Critical areas of the main hard disc drive were overwritten with garbage. In particular from the partition table to the first FAT (file allocation table)(area includes MBR) was overwritten with random file data and both FATs were overwritten with an incrementing 32bit number. During this process the system beeper sounded continuously. In the early stages of recovery a similar "event" occurred and the MBR and FATs were overwritten a second time, and again the system beeper sounded continuously. My only explanation for this is that malicious code was running on my computer. Unfortunately I blanked the boot sector without capturing its content - I later realised that this was where the malicious code probably resided. I kept no copy.
This seems to me to have the characteristics of a deliberate attack. No worm, trojan or virus has been found anywhere, so I'm rather thinking that I was somehow deliberately targeted via my internet connection. Since I run a good quality firewall, properly configured, I regard the attack as extremely sophisticated. In fact I really don't know how such an attack would be possible.
Thankfully I have been able to recover 100% of the former content of the hard drive and I'm pretty much up and running again. Good job too, because the event exposed some critical weaknesses in my backup procedures. If it hadn't been for Christmas, I'd have been fully operational in two days. I've now got a huge backlog of email, but hope to work through it in the next 24 hours.
If anyone would like to discuss technical details of the attack, recovery or protection from any similar future attacks, I'd be delighted to hear from you.
And of course, as usual, the lesson is to make damn sure that you have functional, effective, comprehensive and up to date backups of all important data.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
Critical areas of the main hard disc drive were overwritten with garbage. In particular from the partition table to the first FAT (file allocation table)(area includes MBR) was overwritten with random file data and both FATs were overwritten with an incrementing 32bit number. During this process the system beeper sounded continuously. In the early stages of recovery a similar "event" occurred and the MBR and FATs were overwritten a second time, and again the system beeper sounded continuously. My only explanation for this is that malicious code was running on my computer. Unfortunately I blanked the boot sector without capturing its content - I later realised that this was where the malicious code probably resided. I kept no copy.
This seems to me to have the characteristics of a deliberate attack. No worm, trojan or virus has been found anywhere, so I'm rather thinking that I was somehow deliberately targeted via my internet connection. Since I run a good quality firewall, properly configured, I regard the attack as extremely sophisticated. In fact I really don't know how such an attack would be possible.
Thankfully I have been able to recover 100% of the former content of the hard drive and I'm pretty much up and running again. Good job too, because the event exposed some critical weaknesses in my backup procedures. If it hadn't been for Christmas, I'd have been fully operational in two days. I've now got a huge backlog of email, but hope to work through it in the next 24 hours.
If anyone would like to discuss technical details of the attack, recovery or protection from any similar future attacks, I'd be delighted to hear from you.
And of course, as usual, the lesson is to make damn sure that you have functional, effective, comprehensive and up to date backups of all important data.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
james_j said:
I'm glad to see the site's still operational.
Just a note: there is a typo on the main page, on the "Speed Limits" link...."peed" should be "speed". (I assume!)
The attack wasn't against the web site, it was against my usual PC where content for the site is created and managed. I should have made this clear in the original post.
Thanks for the typo correction. I'll get to that sometime today.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
busa_rush said:
Paul, I've got a spare internal SCSI 24GB DAT drive if you need it, just let me know, foc.
WOW! That's mighty generous. Thanks and thanks again. YHM.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
_DJ_ said:
I'd guess that this was some kind of virus attack.
If someone was going to attack your system, why sound the internal speaker? There are a number of viruses which perform actions similar to those desribed (such as http://vil.nai.com/vil/content/Print98194.htm) and I've seen a few previously on Windows based OS's. Presumably you're running Windows 9x and Word on your machine?
I'd agree, except I've worked for the last decade as a computer engineer and have removed hundreds of virus infections from customers computers. I've never had an infection on any of my computers. Anyway, I recovered 100% of files and there's no virus to be found.
Neither have I been able to find a virus description where the FATs are overwritten with a 32bit incrementing number.
As for sounding the system beeper, maybe that was to hide the tick, tick, tick of the hdd as the FATs were overwritten?
I can't go into any more detail in a public forum.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff