Evidence left behind...(Gonzor payload)

[sintax]

Hello all,

I have a rather long story, but the short version of it is that at one point during school I inserted a switchblade drive (this is the reason I label my drives, I've got 2 U3s) into a Windows 2000 machine, and since I didn't know it was a switchblade drive, I did not hold shift. The virus scanner (OfficeScan) popped up with a few detections, which I assumed were a few of the progs I had written myself or had on my thumb drive, and since it didn't delete them, I just ignored it. (Oh, and for the record it's GonZor's payload) About a month later I was called down to the office, as two "hacking tools" as they called them were discovered on my account. They gave me the names: firepassword.exe (the firefox password dumper) and Cache A dump (no idea what this is, it could have been cachea.dump, knowing the idiots I was dealing with) How could these two files, or evidence of these two files, have been left behind? Also, if you have another spare moment, I could use a few suggestions about how to get myself out of this.

Thanks

-Sintax

[digip]

Just a word to the wise, this is why it is suggested not to do this at work or school, etc, and you must understand the consequences before using such tools. Best case scenario is deniability, and not bringing the device into school. Claim it must have been someone attacking the machine you were at while you were logged in or something, and that they did it while you were logged on, but away from the machine or something. Really though, you should own up to it, tell them it was a mix up with your thumb drives and that you brought the wrong one in or something. I doubt they are going to let it go since they pin pointed you in the issue, so most likely you can expect disciplinary action on their part.

Good luck!

[iisonly]

:lol:

Happend to me to. F-Secure popped up some alerts and 18. minutes later i got email from our ... IT Specialist titled "Whats going on???"

i replayed and thank god, this was all of it :)

You are questioning how did they knew program names? F-Secure sends every alert to some specified email address (if specified) and it looked like that:

Date: 2008-04-03 09:16:49+03:00

Host: KLASS1-04 (192.168.5.4)

Computer name: klass1-04

User account: ITCOLLEGE\tpuhu

Product: F-Secure Anti-Virus (OID: 1.3.6.1.4.1.2213.12)

Severity: security alert (5)

Message: Spyware detected:

Type: riskware

Family:

Name: PSWTool.Win32.Messen

Object: E:\SYSTEM\SRC\MSPASS.EXE

Action: Removal from the system failed.

[Sparda]

Hello all,

I have a rather long story, but the short version of it is that at one point during school I inserted a switchblade drive (this is the reason I label my drives, I've got 2 U3s) into a Windows 2000 machine, and since I didn't know it was a switchblade drive, I did not hold shift. The virus scanner (OfficeScan) popped up with a few detections, which I assumed were a few of the progs I had written myself or had on my thumb drive, and since it didn't delete them, I just ignored it. (Oh, and for the record it's GonZor's payload) About a month later I was called down to the office, as two "hacking tools" as they called them were discovered on my account. They gave me the names: firepassword.exe (the firefox password dumper) and Cache A dump (no idea what this is, it could have been cachea.dump, knowing the idiots I was dealing with) How could these two files, or evidence of these two files, have been left behind? Also, if you have another spare moment, I could use a few suggestions about how to get myself out of this.

Thanks

-Sintax

Tell them there network, is actually your network that they are paying for, just for fun.

[sintax]

Tell them there network, is actually your network that they are paying for, just for fun.

Haha, yeah. I basically got the same told to me, "This isn't your network that WE are paying for!" I have to say I chucked at that one. However, what I was told is that the files were "left on the server" and yes, I did ask to make sure it wasn't just the scan logs, the files were actually physically on the server. Is it a possibility that OfficeScan made a copy or something?

[Sparda]

It's probably poorly configured so makes a 'quarantined' copy before deleting it, and probably copies file permissions and ownership along with it.

Another good one is "Your server, is actually my torrent tracker."

[sintax]

Haha yeah, alright. I'm probably gonna just say that i switched the drives by accident, although there is no proof of that so ill probably get busted anyway, but whatever. The thing i find hilarious is that I'm the "hacker" at my school, I have a bit of a rep. And I get asked for help from them more than I get in trouble with them, I'm good friends with the head IT guy. So I probably won't get in much, if any trouble. Thanks guys

Peace

-Sintax

[tim.vangehugten]

If you do this again then just use someone else his/her account I always do:p

[snakey]

deny till you die and you will have no problem. Act dumb say you dont know what it is and that another student might have hacked your account so on and so forth and you'll be sweet.

also don't be stupid with switchblade mark all your switchblade drives with a (s) at the end so it font happen again.

[moonlit]

deny till you die and you will have no problem. Act dumb say you dont know what it is and that another student might have hacked your account so on and so forth and you'll be sweet.

also don't be stupid with switchblade mark all your switchblade drives with a (s) at the end so it font happen again.

Yeah, that's great and all, until you realise that they've had an eye on you for a while and that "someone probably hacked my account" is about as believable as "I actually live on Jupiter, I wasn't aware that the rules were different from planet to planet".

[Rab]

you hacked the gibson from your house?

[snakey]

obviously you haven't been in school for years mr moonlit. In my final year i got caught getting free photocopy's ( not quite hacking but pretty similar punishment ) i just acted dumb said i didn't know anything and a random guy told me the code and i got off the hook :). do something similar and you will be fine. Also a school network admin aint going to be watching you for a while he government they dont do there job properly.

[VaKo]

Just lie about it. Deny all, act surprised and ask worried questions about your files being hacked and could the viruses infect your word documents. (Even though they are not, your a layman, and a layman thinks a virus scanner is for stopping viruses, so anything it picks up is a virus).

[sintax]

Wow its been a while, just came back to Hak.5 and am gonna be a bit more active in the forums

But anyway, the way this whole thing turned out is that I ended up getting 2 detentions, despite what the head guy tried to do for me. Not a huge deal, I basically just said it was a mistake, but they didn't really care. Whatever. Well anyway, thanks for the comments

Peace

[snakey]

should have denied and acted dumb

[sintax]

should have denied and acted dumb

Problem is I can't do that, considering the staff already knows that I knew a lot about computers =\

[iisonly]

firepassword.exe aint hacking/cracking/sniffing/etc tool but password recovery tool!!1! :)

and you just happened to dblclick on it ;)

[snakey]

sounds liek you dont if your getting into trouble like this :P