Safe Speed attacked
Discussion
On Monday morning this week at 4:00am something unusual happened to my main computer.
Critical areas of the main hard disc drive were overwritten with garbage. In particular from the partition table to the first FAT (file allocation table)(area includes MBR) was overwritten with random file data and both FATs were overwritten with an incrementing 32bit number. During this process the system beeper sounded continuously. In the early stages of recovery a similar "event" occurred and the MBR and FATs were overwritten a second time, and again the system beeper sounded continuously. My only explanation for this is that malicious code was running on my computer. Unfortunately I blanked the boot sector without capturing its content - I later realised that this was where the malicious code probably resided. I kept no copy.
This seems to me to have the characteristics of a deliberate attack. No worm, trojan or virus has been found anywhere, so I'm rather thinking that I was somehow deliberately targeted via my internet connection. Since I run a good quality firewall, properly configured, I regard the attack as extremely sophisticated. In fact I really don't know how such an attack would be possible.
Thankfully I have been able to recover 100% of the former content of the hard drive and I'm pretty much up and running again. Good job too, because the event exposed some critical weaknesses in my backup procedures. If it hadn't been for Christmas, I'd have been fully operational in two days. I've now got a huge backlog of email, but hope to work through it in the next 24 hours.
If anyone would like to discuss technical details of the attack, recovery or protection from any similar future attacks, I'd be delighted to hear from you.
And of course, as usual, the lesson is to make damn sure that you have functional, effective, comprehensive and up to date backups of all important data.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
Critical areas of the main hard disc drive were overwritten with garbage. In particular from the partition table to the first FAT (file allocation table)(area includes MBR) was overwritten with random file data and both FATs were overwritten with an incrementing 32bit number. During this process the system beeper sounded continuously. In the early stages of recovery a similar "event" occurred and the MBR and FATs were overwritten a second time, and again the system beeper sounded continuously. My only explanation for this is that malicious code was running on my computer. Unfortunately I blanked the boot sector without capturing its content - I later realised that this was where the malicious code probably resided. I kept no copy.
This seems to me to have the characteristics of a deliberate attack. No worm, trojan or virus has been found anywhere, so I'm rather thinking that I was somehow deliberately targeted via my internet connection. Since I run a good quality firewall, properly configured, I regard the attack as extremely sophisticated. In fact I really don't know how such an attack would be possible.
Thankfully I have been able to recover 100% of the former content of the hard drive and I'm pretty much up and running again. Good job too, because the event exposed some critical weaknesses in my backup procedures. If it hadn't been for Christmas, I'd have been fully operational in two days. I've now got a huge backlog of email, but hope to work through it in the next 24 hours.
If anyone would like to discuss technical details of the attack, recovery or protection from any similar future attacks, I'd be delighted to hear from you.
And of course, as usual, the lesson is to make damn sure that you have functional, effective, comprehensive and up to date backups of all important data.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
safespeed said:
On Monday morning this week at 4:00am something unusual happened to my main computer.
Critical areas of the main hard disc drive were overwritten with garbage. In particular from the partition table to the first FAT (file allocation table)(area includes MBR) was overwritten with random file data and both FATs were overwritten with an incrementing 32bit number. During this process the system beeper sounded continuously. In the early stages of recovery a similar "event" occurred and the MBR and FATs were overwritten a second time, and again the system beeper sounded continuously. My only explanation for this is that malicious code was running on my computer. Unfortunately I blanked the boot sector without capturing its content - I later realised that this was where the malicious code probably resided. I kept no copy.
This seems to me to have the characteristics of a deliberate attack. No worm, trojan or virus has been found anywhere, so I'm rather thinking that I was somehow deliberately targeted via my internet connection. Since I run a good quality firewall, properly configured, I regard the attack as extremely sophisticated. In fact I really don't know how such an attack would be possible.
Thankfully I have been able to recover 100% of the former content of the hard drive and I'm pretty much up and running again. Good job too, because the event exposed some critical weaknesses in my backup procedures. If it hadn't been for Christmas, I'd have been fully operational in two days. I've now got a huge backlog of email, but hope to work through it in the next 24 hours.
If anyone would like to discuss technical details of the attack, recovery or protection from any similar future attacks, I'd be delighted to hear from you.
And of course, as usual, the lesson is to make damn sure that you have functional, effective, comprehensive and up to date backups of all important data.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
emm very odd
hope its up and sorted soon m8.
Paul, I hope everything is up and running again. Thought about bringing charges against unknown people for criminal damage? Perhaps a good lot of press coverage, calls to police and your local MP might help? Can't help on the 'puter side as I'm a 'puter numpty..... Still, have a great rest of Christmas and a guid Hogmanay..............
james_j said:
I'm glad to see the site's still operational.
Just a note: there is a typo on the main page, on the "Speed Limits" link...."peed" should be "speed". (I assume!)
The attack wasn't against the web site, it was against my usual PC where content for the site is created and managed. I should have made this clear in the original post.
Thanks for the typo correction. I'll get to that sometime today.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
Paul,
I run a buisness that deals with this sort of thing and I also do network security implementation and development for small business / small corps.
Mail me offline if you need any further details or help and I will be more than happy to oblige.
There will of course be no charge to you.
Regards,
Gh0st
I run a buisness that deals with this sort of thing and I also do network security implementation and development for small business / small corps.
Mail me offline if you need any further details or help and I will be more than happy to oblige.
There will of course be no charge to you.
Regards,
Gh0st
busa_rush said:
Paul, I've got a spare internal SCSI 24GB DAT drive if you need it, just let me know, foc.
WOW! That's mighty generous. Thanks and thanks again. YHM.
Best Regards,
Paul Smith
Safe Speed
www.safespeed.org.uk
This has to be related to that Brake "death threat" bollox that squarey mary bleated about.
It seems too much of a co-incidence for anything else.
Maybe a letter to The Times is in order, "Safespeed attacked by Brake hackers" would be a good headline...
Hope they didnt cause you too much trouble Paul, its obvious to us all now that theyre running scared (yes they really are cowards) and theyve tried to wipe you out.
Make sure you have backups mate, and make sure theyre encrypted and secure. Who knows what these lentilists will try next.
All the best mate.
It seems too much of a co-incidence for anything else.
Maybe a letter to The Times is in order, "Safespeed attacked by Brake hackers" would be a good headline...
Hope they didnt cause you too much trouble Paul, its obvious to us all now that theyre running scared (yes they really are cowards) and theyve tried to wipe you out.
Make sure you have backups mate, and make sure theyre encrypted and secure. Who knows what these lentilists will try next.
All the best mate.
dont think Ted wants Brake whinging on here again for a day or 2 
Hope Ted doesn't mind me posting this, but deltaf's post caused the following thought to spring unbidden to my mind.
An undercover operative from a certain organisation (which shall remain nameless) shins up the pole and disconnects the telephone wire outside Paul Smith's house, interrupting Paul's connection to the Internet.
When news of this incident was passed to the press, the headline in The Times read, (wait for it) ...
SafeSpeed crashes! Brake cuts line!
Streaky
PS - with sincere apologies to Paul for my little joke - S
An undercover operative from a certain organisation (which shall remain nameless) shins up the pole and disconnects the telephone wire outside Paul Smith's house, interrupting Paul's connection to the Internet.
When news of this incident was passed to the press, the headline in The Times read, (wait for it) ...
SafeSpeed crashes! Brake cuts line!
Streaky
PS - with sincere apologies to Paul for my little joke - S
Ahh Denny me boy! I didnt say it WAS Brake....just a brake hacker...
Its defoo someone with an axe to grind...maybe our friend Toomey who was here the other day perhaps????
Lots of activity over a short period of time etc etc.
Paul, does your firewall log all attempts to connect with it?
If so you may have a log of the attacker, even if he's gone thru a proxy...or maybe im wrong..
Criminal behaviour from the lentilists....just cos theyve lost the argument!
Its defoo someone with an axe to grind...maybe our friend Toomey who was here the other day perhaps????
Lots of activity over a short period of time etc etc.
Paul, does your firewall log all attempts to connect with it?
If so you may have a log of the attacker, even if he's gone thru a proxy...or maybe im wrong..
Criminal behaviour from the lentilists....just cos theyve lost the argument!
Easy tigers! I don't think it's wise at all to speculate on who might be behind this - it may well just be a totally random attack - Paul has already said that he has no idea what malicious code it was or where it came from...
Please let's not over-react and play into anybody's hands...
The big eye is on you Paul, you must know Tony and his cronies are less than democratic about who challenges their ideas, Brunstrom has alraedy proved it by sending that memo out regarding you, I'm gonna donate some wanga to ya cause in the new year. say I have bin noticing strange cut shapes around MaidenheAD the kind you see before lights and such but in very strange places, could they be sensors of some kind are they up to something again?
[quote=sgt^Roc]... say I have bin noticing strange cut shapes around MaidenheAD the kind you see before lights and such but in very strange places, could they be sensors of some kind are they up to something again?[/quote]Could be DS2 in-road installations or part of the national traffic monitoring scheme - Streaky
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff