Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Malware, hardware or other?

Status
Not open for further replies.

zviw

MIS
Oct 11, 2002
34
US
I have a weird situation at one location.

Over the past week they have been experiencing systems crashing and/or restarting. When the system is rebooted, during POST, it prompts for a system password. There was never any password set on these systems. Now, I cleared the password and set my own BIOS password, and this was also reset.

This has happened to four different Dell systems, 2 Optiplex 740, 1 Dimension 8200, One latitude laptop. These systems all access a critical DOS program that is running off an old Netware 312 server running Btrieve on the server. The issues occur while this program is in use. I've scanned for viruses but no luck.

There have been additional symptoms as well - Network settings - including adapters, clients and protocols disappearing, uninstalled or reset. Unrelated server (same physical network/subnet, different Domain) restarting - seems it is receiving a shutdown command as seen from logs and a few prompts that we caught sight of asking to verify shutdown as this will disconnect users.

I am in the middle of doing virus/malware scans on the systems. We have changed our switches, some cabling and are checking the electrical power (UPS's don't show errors).

Zvi
 
I'm leaning more along the lines of electrical power. Even if the UPSs don't show problems momentary spikes and surges can get through. Most power companies can put monitors on the power grid inside your office/plant/whatever.

I've also seen string magnetic or EMF pulses do the same thing. You aren't working near a Uranium dump site are you? ;-)


James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
You aren't working near a Uranium dump site are you?

No - NYC

Seriously, though. Although we were thinking about the power, I cannot understand how it would repeatedly set BIOS passwords on different systems. This morning another system was affected.

Zvi
 
The BIOS can be reset via an electrical contact on the motherboard but if someone is changing the password then that might be something else. Are all the systems from the same manufacturer, e.g. HP, Dell?

It's not trivial to reset the BIOS if the BIOS manufacturers are different since each maker uses a different method to flash the BIOS.

Are you sure someone doesn't have physical access to these machines like a janitor?


James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
All the systems are Dell, different models though.

People have access, but this is occurring during the day while the systems are in use. At night/weekends everything is locked tight.

Zvi
 
Since they are all the same make, they probably all use the same BIOS maker, hence someone could have written a program or script that would affect the BIOS. Did someone get fired recently? Maybe someone with technical knowledge or knows someone who has some knowledge.

Is there a program or script that is common to this division? Something everyone runs as part of some admin or company work?


James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
I think I tracked it down. 7 hours of work (myself and an assistant) and we tracked it down to some sort of malware on one workstation. This station was checked numerous times with various spyware/antivirus scanners over the past week and they showed nothing. We ran NOD32 on it and it found a trojan.

After it cleaned up the trojan we found numerous odd files on the root of the boot drive - many of the files had non-alphanumeric characters for the filenames. I was inspecting one file - bugs.txt and the system started acting up. It was 2 AM and I was too exhausted to at that point so I just shut it down and took it off the LAN.

My main goal last night was to get the network functioning, which I think I did. I don't yet know what else is on that system.

Thanks for your help. - As far as your questions, we don't have any clear idea as to who would want to do something like this, or if this was a targeted attack. we will have to look at the system more thoroughly to figure that out.


Zvi
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top