RE: I think I've been hacked...please help!

From: Arnold, Jamie (harnold@binghamton.edu)
Date: 04/09/02 

From: "Arnold, Jamie" <harnold@binghamton.edu>
To: 'H C' <keydet89@yahoo.com>, "Arnold, Jamie" <harnold@binghamton.edu>, "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Tue, 9 Apr 2002 08:30:33 -0400

Netstat reveals anywhere from 5 to 15 hosts connecting within seconds of
boot.

When I scan the machine using something like Retina, I get nothing
unusual...139 (bad, I know) 1025, etc. No high ports.

I did install ZA and found win.exe doing most of the damage so I "adjusted"
ZA to reduce the number of connections.

I'm going back today to run Fport and others to try to determine more
info....I now believe that this is something new or a significant variation
of several older exploits.

Put a sniffer in place last night....going to retrieve info today.

These are all Win2K Pro, looks like they have not been patched.....yet....no
IIS services.

Called some friends at SANS and McAffee....they are scratching their heads
also. This is weird.

More to follow.

J

More info to come
-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Tuesday, April 09, 2002 6:45 AM
To: Arnold, Jamie; 'incidents@securityfocus.com'
Subject: RE: I think I've been hacked...please help!

Jaime,

1. Have you gathered detailed process information,
such as using pslist.exe and listdlls.exe (from
SysInternals), and pulist.exe (from the RK)?

2. Have you run netstat? Since you didn't specify
which operating systems are running, I'll point out
that only XP has the '-o' switch in netstat.

3. Have you run fport.exe from Foundstone, mapping
the processes to open ports in netstat?

4. Have you collected any file info...last access
times, etc? Something like the following command is a
quick and dirty way of doing it:

c:\>dir /s /ta /od c:\*

5. Have you collected or reviewed EventLogs (assuming
we're talking about NT/2K here)?

6. Have you done any network-based packet captures?

It seems to me that you might have a pretty
significant incident on your hands...but you really
haven't given us a whole lot of information to work
with. For example, are these machines using publicly
routable addresses? What's the patch level? What
operating system is being used? What major apps are
running (IIS, FTP, etc)?

Of course, this may just be some "goodies" this other
admin friend of yours (the "techie") left behind.

I teach a course that walks admins such as yourself
through how to deal with/handle situations like this.
To be honest, if you have the time, I think these
machines would be very interesting to work
with...observe the activity on the systems, as well as
the network, and see what these "bad guys" are up to.

--- "Arnold, Jamie" <harnold@binghamton.edu> wrote:
> All:
>
> I have several machines that are using excessive
> bandwidth. Upon
> inspection, I find multiple connections to servers
> with names like
> irc.badguuy.com, etc... On 6667. Incoming
> connections are random although
> 1067 seems to be a common one. I have 4 instances
> of cmd.exe running and 2
> of win.exe While it looks like Egghead, the reg
> entries aren't there nor
> the directories/files. These machines all had an
> account ID of Microsoft
> with admin privs on them. They don't connect to a
> domain and were setup by
> the department "tech" person who left them wide
> open. What is confusing to
> me is that one of them uses our Exchange server
> which is protected by
> Antigen (and I pull nearly every extension known to
> man) and McAffee on the
> desktop. I can't find anything that matches this.
> Anyone have any insight?
>
> Thanks
>
> J
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
> http://aris.securityfocus.com
>

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: I think Ive been hacked...please help!
    ... Have you gathered detailed process information, ... that only XP has the '-o' switch in netstat. ... are these machines using publicly ... admin friend of yours left behind. ...
    (Incidents)
  • Re: Detecting Zombies?
    ... I have long since stopped working on problem windows machines for clueless ... Years ago, I used to play with network protocols and stuff, but haven't ... but with current browsers there are so many connections coming ... enter netstat -a to list all the connections. ...
    (comp.os.linux.networking)
  • Re: Sendmail says No, But netstat says Yes
    ... m may be closing the connections as quickly as the sending system is opening them. ... When I blocked the machines in question, ... force a password attack on to see if they could get saslauth to let them ... the name 'netstat' came up with did not match the ...
    (comp.mail.sendmail)
  • Re: ip security
    ... If the machines are currently connected, use NETSTAT -AN This command ... won't help you look at past / closed connections. ...
    (microsoft.public.win2000.security)
  • How reliable is netstat?
    ... this diagnostic information is the output from "netstat -an". ... web server, on a high, unprivileged port, and the destination address ... my firewall was correctly blocking these connections. ... None of these remote IP addresses appear in any of my server logs. ...
    (comp.os.linux.networking)