[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Strange Lenovo x121e
- To: halfdog <me@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Strange Lenovo x121e
- From: Henri Salo <henri@xxxxxxx>
- Date: Thu, 6 Oct 2011 00:12:00 +0300
On Wed, Oct 05, 2011 at 07:57:03PM +0000, halfdog wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello List,
>
> I just puchased a Lenovo x121e and just before init with random data
> and setting up the crypto disks, I found that the disk was not
> completely clean. It seems that
>
> a) X121 ships with a dirty disk or
> b) machine was used before purchase
>
> After reconstruction of bootsector, a NTFS partition is readable,
> pagefile.sys shows
> COMPUTERNAME=ADMIN-THINK
>
> Newest files in /
> dr-x------ 1 root root 28672 May 29 09:45 SWDL
> - -r-------- 2 root root 2490 May 29 09:36 ExitWinXP.bat
> dr-x------ 1 root root 4096 Apr 6 13:59 WWAN1
> dr-x------ 1 root root 0 Mar 1 2011 Temp
> dr-x------ 1 root root 0 Jan 6 2011 $Recycle.Bin
> dr-x------ 1 root root 4096 Jan 6 2011 Users
> dr-x------ 1 root root 0 Jan 6 2011 Intel
> - -r-------- 2 root root 1959 Oct 2 2010 bluetooth.txt
>
> Funny: Might also be infected with virus, that generated sal.xls.exe
>
> - -r-------- 2 root root 4810 Oct 13 2007
> \346\270\205\351\231\244sal.xls.exe\347\227\205\346\257\222.bat
>
> The non-printables seem to be UTF-8 and display as Chinese glyphs on
> other machine.
>
> I'm complete noob in win-forensics, but at least it seems, that there
> is no evidence for other user accounts, Documents & Settings empty, so
> perhaps this could really be an authentic IBM OEM image (with virus),
> but they just replaced the boot sector to get rid of the partitions?
>
> Since I don't want to waste too much time on dirty hardware, I did
> some googling, but found nothing of value.
>
>
> Does someone know of similar findings on Lenovo machines and what's
> your guess: is it worth to dig in deeper or is it just waste of time
> to recover OEM-Windows image, that was deflowered and insufficiently
> cleaned by some Chinese factory worker during lunch hours?
>
> hd
>
> - --
> http://www.halfdog.net/
> PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFOjLZtxFmThv7tq+4RAjg3AJ4xCLYJqExTYk0kqLowYFdB+RU3PQCgk4yW
> zD1Qa8MoApdLGQ5Mns0wpKE=
> =UuJ/
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I have pretty new X220t and 2011-09-18 I noticed this
http://paste.nerv.fi/59031966-strangedrivers.png when I was working as
administrator. I didn't have any network connected (LAN, WLAN, bluetooth) nor
USB-devices. I also did check event viewer, but didn't find anything useful. I
didn't notice it again nor did I find any evidence of abuse. There is recovery
partition in my model at least, which could have a big amount of executables
and/or drivers. I also do know how to use Windows so as far as I can tell my
laptop is pretty secure. I have firewall, IPS, anti-virus and I am not
installing programs to my system easily :)
Please notify me if you find anything related to this issue. I would be happy
to receive sample of sal.xls.exe. Where did you purchase your laptop?
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/