Correction: www.ethereal.com not www.ethereal.org RE: Suspicious file on Desktop

From: Eric Greenberg (eric@netframeworks.com)
Date: 02/10/03

  • Next message: James C Slora Jr: "RE: Increased Kuang2 activity"
    From: "Eric Greenberg" <eric@netframeworks.com>
    To: "'Patrick Fish'" <patrick@pwhsnet.com>, <incidents@securityfocus.com>
    Date: Mon, 10 Feb 2003 16:34:09 -0500
    
    

    In my post below, I referenced the incorrect website for ethereal. It's
    www.ethereal.com.

    -----Original Message-----
    From: Eric Greenberg [mailto:eric@netframeworks.com]
    Sent: Monday, February 10, 2003 11:55 AM
    To: 'Patrick Fish'; 'incidents@securityfocus.com'
    Subject: RE: Suspicious file on Desktop

    I'll just focus on one aspect of this problem, others will probably
    offer you other very useful input relating to specific trojan's, etc.

    For one thing, I'd recommend, in general, using a network sniffer so
    that you can see what, if anything, is leaving your machine to/from
    those IP addresses, especially during bootup. In general, whenvever you
    suspect anything network-borne on a machine, the first best thing is to
    look at the wire and see what's happenning. While you can put the
    analyzer on the same machine you have concerns with, in general it's
    best to put it another machine. Setup another machine with Ethereal
    (http://www.ethereal.org) of if you want a commercial product, you could
    consider http://www.tamos.com. Get a hub (not a switch) if possible and
    put your machine on that hub. Put the network analyzer on the hub. If
    this is a dial-up connection, you have several options but the first one
    (which may not be forensically-sound), would be to run the analyzer on
    your own machine.
    Regards,
    Eric

    ----------------------------------
    Mission Critical Security Planner:
    When hackers won't take no for an answer
    http://www.amazon.com/exec/obidos/ASIN/0471211656

    -----Original Message-----
    From: Patrick Fish [mailto:patrick@pwhsnet.com]
    Sent: Monday, February 10, 2003 5:12 AM
    To: incidents@securityfocus.com
    Subject: Suspicious file on Desktop

    Hi,

    I've been trying to figure out why there is a "Startup.log" file on my
    desktop. I've searched mail archives and google, but didn't find
    anything about this. The file contains:

    (Last octet of IP removed)
    CONNECTION: [01/26/03 21:50 UTC] 62.163.176.xx
    CONNECTION: [01/26/03 21:56 UTC] 67.192.41.xxx
    CONNECTION: [01/26/03 22:01 UTC] 67.192.41.xxx
    CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
    CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
    CONNECTION: [02/06/03 08:49 UTC] 80.194.40.xxx
    CONNECTION: [02/06/03 09:06 UTC] 144.134.163.xx
    CONNECTION: [02/06/03 09:11 UTC] 216.249.81.xx
    CONNECTION: [02/06/03 09:46 UTC] 136.165.87.xxx
    CONNECTION: [02/06/03 09:47 UTC] 211.28.63.xxx

    After resolving a few of them, these are all people I know pretty well
    on IRC. I can't figure out what's causing this - I don't use a mIRC
    script, I don't have a firewall (XP firewall is disabled) -- I do have
    Norton 2003 Pro. I'm using Windows XP Pro on Service Pack 1a, but the
    file was created before I installed SP1a

    I've checked my process list, and there's nothing running that shouldn't
    be.

    Has anything seen something similar or know what's causing this?

    Thanks.

    --
    Patrick Fish
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service. For
    more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    


    Relevant Pages

    • RE: Suspicious file on Desktop
      ... put your machine on that hub. ... Put the network analyzer on the hub. ... This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: Strange Folder
      ... Is it likely this person busted my account password and then signed ... >>> The other day I noticed a strange folder had been created ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: [CERT] Re: Compromised FBSD/Apache
      ... >>>This list is provided by the SecurityFocus ARIS analyzer service. ... >>>For more information on this free incident handling, management ...
      (Incidents)
    • RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update
      ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ...
      (Incidents)
    • RE: Compromised FBSD/Apache
      ... >>>This list is provided by the SecurityFocus ARIS analyzer service. ... >>>For more information on this free incident handling, management ...
      (Incidents)