Re: Unknown Hosts file

From: H C (keydet89@yahoo.com)
Date: 04/02/02


Date: Mon, 1 Apr 2002 18:02:45 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: David Tan <dtan@chipscc.com>, incidents@securityfocus.com

Dave,

This may actually be nothing more than a practical
joke...after all, it's been listed on such sites as
HappyHacker.org and others for years.

Did you happen to preserve the MAC times and maybe
even the owner of the file? I'm assuming auditing
wasn't enabled, b/c otherwise you'd be able to
correlate the last write time with a login.

Scanning for viruses is good, but you may want to
check for other stuff, too. After all, there are nice
little 'gifts' that some A/V tools don't pick up. I
was at a gov't site, and their A/V product didn't pick
up netcat.

Have you checked open ports? Use netstat to start,
but if you find anything suspicious, grab a copy of
fport from FoundStone's site. Also check processes w/
pslist and listdlls from the SysInternals site, and
maybe even grab pulist from the RK. Check the running
services, as well.

'course, logging is helpful in these incidents, but it
has to be enabled *before* the incident.

HTH

> I have a client machine running Windows 2000
> Professional. All of a sudden, one day, the user
> was
> unable to access several of the most popular
> websites (i.e. google, yahoo, cnn, etc.). I noticed
> that
> the machine was attempting to access the wrong IP
> address for all the websites, in fact, it was
> attempting
> to access the SAME IP address for every website in
> the group. After some research, I found there was a
>
> Hosts file with all the domains in question listed,
> and
> the erroneous IP address. Has anyone ever come
> accross an incident where a virus or trojan would
> place a Hosts file onto a system. I have thoroughly
>
> scanned the machine for viruses, open ports, etc.
> and found nothing. Is there anything else I should
> be
> on the lookout for?
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Unknown Hosts file
    ... > Subject: Unknown Hosts file ... > address for all the websites, in fact, it was attempting ... > For more information on this free incident handling, ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Guess the tool...
    ... Get email alerts & NEW webcam video instant messaging with Yahoo! ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Q328691 ?
    ... Do You Yahoo!? ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Unknown Hosts file
    ... address for all the websites, in fact, it was attempting ... place a Hosts file onto a system. ... For more information on this free incident handling, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Odd Shares showing up on workstations
    ... > Do you Yahoo!? ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)