Re: Compromised Win2000 machine.

From: Daniel Hay (dhay@drexel.edu)
Date: 05/29/02


Date: Wed, 29 May 2002 14:05:55 -0400
From: Daniel Hay <dhay@drexel.edu>
To: H C <keydet89@yahoo.com>


>
>
>Danny took the typical action seen of most
>admins...port scanning the system from the outside,
>and comparing the open ports to lists of known trojans
>and services. This is inconclusive at best, and leads
>to a lot of speculation and time-wasting. Better to
>run fport on the system (if NT/2K...if the system is
>XP, run netstat w/ the '-o' switch) instead, to see
>the process to port mapping.
>

I took the only action i could given i don't have physical access to the
machine
and still have not been able to contact the owner, we are currently just
watching traffic to and from the box
to see if we can see anything that may constitute a patter that could be
used to find other hosts on campus that have already or may be in the
future owned
by similar tools

Danny

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Compromised Win2000 machine.
    ... >> and comparing the open ports to lists of known ... Do You Yahoo!? ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Re: Compromised Win2000 machine.
    ... > and comparing the open ports to lists of known trojans ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • RE: Compromised Win2000 machine.
    ... Running tools like fport, netstat, handle, listdlls, ... and comparing the open ports to lists of known trojans ... Do You Yahoo!? ...
    (Incidents)
  • Re: Castros Medical Mercenaries
    ... [snip portions of Kenny's posting already debunked here, ... >>> Yes Danny THAT list is less precise than prior one sbut STILL lists ... >> article devoted to Cuba at their website, while AI and HRW have many. ... > Danny - it was up till a short time ago. ...
    (soc.culture.cuba)
  • Re: Dannykins gets fat Stalinist ass kicked... AGAIN!
    ... < now lists no specific number at all. ... < You don't need to look at my website for that, ... Okay COMRADE give us a list of other places we can find this ADMISSION ... by GW that YOU - Danny Christensen MADE them take down the numbers. ...
    (soc.culture.cuba)