Fivewin - anti hacker software

[Otto]

Hello friends,
We discovered this hacker attack by changes today.

The server has been used by hackers to send e-mails for several days.

Antivirus software was installed.
The hackers made a new admin account "free" and installed a mailing software in this new user folder.

I thought that I would write a Fivewin program and supervise the created USER accounts and the user directories.
If there are new files installed I will send a warning.

Maybe someone already has a solution.

Kind regards
Otto

[karinha]

???????

[Otto]

When we entered via TeamViewer on a customer server today we saw this screen.
The server has been used for several days by hackers to send emails.
Now we plan to program a FW software that we get notice from such hackes.
Best regards,
Otto

[karinha]

Now we plan to program a FW software that we get notice from such hackes.

Goal? Reason? Is it a solution to avoid attack by hackers?

????

Regards, saludos.

[Otto]

Hello,

This is my anti ransomware program. which does a good job.
This program monitors the data folder.
Only dbf, ftp and cdx files are allowed in the data folder. If a ransomware tries to encrypt a file, the bat-file is called with the shutdown command.

Similar to this I will make the new program.
If a new user is added the system sends a warning od shutdown.
Also if new files in user folder are added.


Best regards
Otto

Code: Select all

    #include "FiveWin.ch"
    static oWnd, oTimer
    //----------------------------------------------------------------------------//

    function Main()
       DEFINE DIALOG oWnd FROM 3, 3 TO 20, 50 ;
          TITLE OemToAnsi( "Testing timers" )

       ACTIVATE DIALOG oWnd ;
          ON INIT  StartTimer()

    return nil

    //----------------------------------------------------------------------------//
    function StartTimer()
       DEFINE TIMER oTimer OF oWnd ;
          INTERVAL 300 ;
          ACTION ( check() )

       ACTIVATE TIMER oTimer
    return nil
    //----------------------------------------------------------------------------//


    function check()
       local aDir   := directory( "x:\xwhdaten\DATAWIN\" + "*.*","DHS")
       local I := 1
       local cFilename := ""
       local lFehler := .f.
       local cFehler := ""

       oTimer:Deactivate()



       FOR I := 1 to len( aDir )
          lFehler := .T.

          if    aDir[ I , 1 ]  <>  "."
             if ALLTRIM ( UPPER( cFileExt( aDir[ I , 1 ] ) ) ) = "DBF"
                lFehler := .f.
             endif
             if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "FPT"
                lFehler := .f.
             endif
             if UPPER( cFileExt( aDir[ I , 1 ] ) ) = "CDX"
                lFehler := .f.
             endif
             if lFehler = .t.
                cFehler += aDir [ I, 1 ] + CRLF
                FWLOG cFehler
                winexec( "abmelden.bat" )
             endif

          endif
       next

       oTimer:activate()
    return nil
    *******************
    abmelden.bat
    shutdown -S  

[karinha]

Is not it better to put on the windows tray ??

Code: Select all

#include "FiveWin.ch"

STATIC oWnd, oTimer

FUNCTION Main()

   LOCAL ARCHIVO, NREGISTRO

   IF .NOT. FILE( "ATTACK.BAT" )

      ARCHIVO := FCREATE( "ATTACK.BAT" )

      NREGISTRO := "@ECHO OFF"                                ;
         + CRLF        +                                      ;
         "CLS"         +                                      ;
         + CRLF + CRLF +                                      ;
         "shutdown - S > NUL"  +                              ;
         + CRLF + CRLF +                                      ;
         "CLS"         +                                      ;
         + CRLF        +                                      ;
         "EXIT"

      FWRITE( ARCHIVO, NREGISTRO )
      FCLOSE( ARCHIVO )

   ENDIF

   DEFINE DIALOG oWnd FROM 3, 3 TO 20, 50 ;
      TITLE OemToAnsi( "Testing timers anti hacker" )

   ACTIVATE DIALOG oWnd ;
      ON INIT  StartTimer()

   oTimer:End()

RETURN nil

FUNCTION StartTimer()

   DEFINE TIMER oTimer OF oWnd ;
      INTERVAL 300 ;
      ACTION ( check() )

   ACTIVATE TIMER oTimer

RETURN nil

FUNCTION check()

// LOCAL aDir   := directory( "x:\xwhdaten\DATAWIN\" + "*.*", "DHS" )
   LOCAL aDir   := directory( "C:\FWH1701\SAMPLES\" + "*.*", "DHS" )
   LOCAL I := 1
   LOCAL cFilename := ""
   LOCAL lFehler := .F.
   LOCAL cFehler := ""

   oTimer:Deactivate()

   FOR I := 1 TO len( aDir )

      lFehler := .T.

      IF    aDir[ I , 1 ]  <>  "."

         IF ALLTRIM ( UPPER( cFileExt( aDir[ I , 1 ] ) ) ) = "DBF"
            lFehler := .F.
         ENDIF

         IF UPPER( cFileExt( aDir[ I , 1 ] ) ) = "FPT"
            lFehler := .F.
         ENDIF

         IF UPPER( cFileExt( aDir[ I , 1 ] ) ) = "CDX"
            lFehler := .F.
         ENDIF

         IF lFehler = .T.

            cFehler += aDir [ I, 1 ] + CRLF

            FWLOG cFehler

            WINEXEC( "ATTACK.BAT" )

         ENDIF

      ENDIF
   NEXT

   oTimer:activate()

RETURN nil

/*
//******************
   abmelden.bat
   shutdown - S
*/

Regards, saludos.

[Otto]

Hello,
no. In case of a RANSOM attack you have no time.

https://www.youtube.com/watch?v=4gR562GW7TI

Please look from 2.48 on. Here you see the speed of encryption.

Best regards
Otto

[Otto]

Hello,
here my first test file.
This detects account changes.

Best regards
Otto

Code: Select all

#include "FiveWin.ch"
//----------------------------------------------------------------------------//

function Main()
   local oDlg, oFont, oBtn
   *----------------------------------------------------------

   DEFINE FONT oFont NAME "TAHOMA" SIZE 0,-12
   DEFINE DIALOG oDlg SIZE 1000,600 PIXEL TRUEPIXEL FONT oFont
  
    @ 100,100 ;
      BUTTON oBtn ;
      PROMPT "Check" ;
        SIZE 100, 44 ;
      ACTION checkAccounts() ;
          OF oDlg ;
       PIXEL

  
   ACTIVATE DIALOG oDlg CENTERED
   RELEASE FONT oFont

return nil
//-----------------------

FUNCTION checkAccounts()
    local cText := ""
    local cACCOUNTS := ""
    local cAccountStatue := ""
   *----------------------------------------------------------

    if lIsDir( CurDir() + "\temp" ) = .f.
        lMKDir( CurDir() + "\temp" )
    endif

    cText += 'Set colItems = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * from Win32_UserAccount Where LocalAccount=True")' + CRLF
    cText += 'For Each objItem in colItems' + CRLF
    cText += 'Wscript.Echo objItem.Name' + CRLF
    cText += 'Next' + CRLF
    memowrit( "GetLocalUsers.vbs", cText )
    
    cText := 'cscript.exe //NoLogo ' + '"' + Curdrive()+ ":\"+ Curdir()+ '\GetLocalUsers.vbs" >"' + Curdrive()+ ':\'+ Curdir() + '\output.txt"'
    memowrit( "runscript.bat", cText )
    
    waitrun( 'runscript.bat' )
    cACCOUNTS := memoread( Curdrive()+ ':\'+ Curdir() + '\output.txt' )
    
    ferase("runscript.bat")
    ferase("GetLocalUsers.vbs")
    
    ? cACCOUNTS
    
    if file( Curdrive()+ ':\'+ Curdir() + '\accountstatus.txt' ) = .f.
        memowrit( Curdrive()+ ':\'+ Curdir() + '\accountstatus.txt', cACCOUNTS )
    else
        cAccountStatue := memoread(  Curdrive()+ ':\'+ Curdir() + '\accountstatus.txt' )
        
        if cAccountStatue = cACCOUNTS
        ?   "All OK"
        else
        ? "Changes where made"
        endif
    endif

    
RETURN NIL
    
//----------------------------------------------------------------------------//