I have a client that has a Windows ME box that they are using as a modem bank basically. They have software on it that allows the PC to dial out to poll control panels and either transfer data out or retrieve data from the panels. According to the customer nothing and no one should be able to dial in…and afaict by looking at the software and config info there is nothing on it that would allow remote control of the box if someone DID dial in. (Let me qualify this by saying that I’m not exactly an expert on ME and how it works…seems similar to Windows 2000, which I am a bit more familiar with).
That said I watched a video last night of the box in question (its in a NOC and they have cameras that monitor the room)…and something weird certainly happened. Watching the video I saw the monitor go blank, come back, go blank, come back over the period of 15 min (there is no screen saver and watching the hour before this on time lapse, it didn’t happen even once). Then I distinctly saw the cursor move down to start and go to the ME help function (gods know why)…all with no one there.
This computer has no connection to an internal LAN (it has no NIC for that matter)…its strictly a dial out box with 6 modems attached.
The question is…does ME have anything in it that would allow for someone to dial in and take remote control of the box? If not…what other kinds of things should I look for? Are there any known stealth virus or worms that could be hiding out and allowing someone to dial in and take control?
Maybe the problem is hardware. Does it have a wireless mouse or bluetooth? Radio signals from something else like a mouse in the next room could be interfacing with the ME box. Beams in buildings can carry the signals further than the specs given. A failing keyboard can also cause problems like this. You of course saw it, so would know if it was beyond what bad input could cause.
Nope, no wireless or bluetooth. In fact, the thing has old fashion 9 pin mouse and keyboard (no modern PS/2 ports ), no USB ports…its simply put an old computer.
As for failing mouse/keyboard, I suppose its possible. It SEEMS to work fine when I’m using it…and the movements looked pretty specific (mouse moved to Start, then moved to control panel, then did something I couldn’t make out, then up popped the ME Help screen that lets you walk through some of the diagnosis stuff)…though I can’t see WHY someone who was hacking in would do what they did. I would expect a hacker to either trash the system or go for the data…not screw around with the help function.
It freaked the NOC guys out…it happened around 1am and they had never seen anything like it. I can’t rule out ‘practical joke’, but honestly they were all pretty pale and freaked out on the video I just looked at (and they called me at 2am pretty shaken…joy). Also, I can’t think how I would do such a joke with whats in the machine…but then, I can’t think how I’d dial in to do it either.
Here’s hoping someone in here will come in and say how easy it is to remote control an old ME box via dial in by doing X…
You (or the clients) could ask the telephone company to provide phone records to determine if anyone made any incoming calls to the number in question. Better still, you could ask the telephone company to change the phone number of the box to an outgoing-only phone line. I don’t know much about hacking, but there are lots of things that worry me about this situation from an engineering standpoint:
There’s no reason to have incoming calls, but the line permits them
Modems are amazing general-purpose devices that may be hackable, especially if it’s an older modem with old firmware.
Windows ME is not a terribly secure OS to begin with, and it’s been exactly one year ago today that MS stopped providing support/updates/patches for WinME. Any vulnerabilities that existed a year ago are almost certainly still vulnerable on your box.
The MS Knowledge Base describes how to create such a vulnerability, and you can use that to reverse-engineer a solution to close the hole… unless the (notional) attacker has already planted something that dials out.
Consider some modem-logging software and a CD-R drive. Put in a write-once CD and use multi-session burning software to dump logfiles onto a CD. That will make each logfile essentially permanent as soon as the caller disconnects – as long as they don’t suspect that a log is being created then you’ll have a record of their presence.
), no USB ports…its simply put an old computer.