Correction: www.ethereal.com not www.ethereal.org RE: Suspicious file on Desktop
From: Eric Greenberg (eric@netframeworks.com)
Date: 02/10/03
- Previous message: Brenna Primrose: "RE: Suspicious file on Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Greenberg" <eric@netframeworks.com> To: "'Patrick Fish'" <patrick@pwhsnet.com>, <incidents@securityfocus.com> Date: Mon, 10 Feb 2003 16:34:09 -0500
In my post below, I referenced the incorrect website for ethereal. It's
www.ethereal.com.
-----Original Message-----
From: Eric Greenberg [mailto:eric@netframeworks.com]
Sent: Monday, February 10, 2003 11:55 AM
To: 'Patrick Fish'; 'incidents@securityfocus.com'
Subject: RE: Suspicious file on Desktop
I'll just focus on one aspect of this problem, others will probably
offer you other very useful input relating to specific trojan's, etc.
For one thing, I'd recommend, in general, using a network sniffer so
that you can see what, if anything, is leaving your machine to/from
those IP addresses, especially during bootup. In general, whenvever you
suspect anything network-borne on a machine, the first best thing is to
look at the wire and see what's happenning. While you can put the
analyzer on the same machine you have concerns with, in general it's
best to put it another machine. Setup another machine with Ethereal
(http://www.ethereal.org) of if you want a commercial product, you could
consider http://www.tamos.com. Get a hub (not a switch) if possible and
put your machine on that hub. Put the network analyzer on the hub. If
this is a dial-up connection, you have several options but the first one
(which may not be forensically-sound), would be to run the analyzer on
your own machine.
Regards,
Eric
----------------------------------
Mission Critical Security Planner:
When hackers won't take no for an answer
http://www.amazon.com/exec/obidos/ASIN/0471211656
-----Original Message-----
From: Patrick Fish [mailto:patrick@pwhsnet.com]
Sent: Monday, February 10, 2003 5:12 AM
To: incidents@securityfocus.com
Subject: Suspicious file on Desktop
Hi,
I've been trying to figure out why there is a "Startup.log" file on my
desktop. I've searched mail archives and google, but didn't find
anything about this. The file contains:
(Last octet of IP removed)
CONNECTION: [01/26/03 21:50 UTC] 62.163.176.xx
CONNECTION: [01/26/03 21:56 UTC] 67.192.41.xxx
CONNECTION: [01/26/03 22:01 UTC] 67.192.41.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:49 UTC] 80.194.40.xxx
CONNECTION: [02/06/03 09:06 UTC] 144.134.163.xx
CONNECTION: [02/06/03 09:11 UTC] 216.249.81.xx
CONNECTION: [02/06/03 09:46 UTC] 136.165.87.xxx
CONNECTION: [02/06/03 09:47 UTC] 211.28.63.xxx
After resolving a few of them, these are all people I know pretty well
on IRC. I can't figure out what's causing this - I don't use a mIRC
script, I don't have a firewall (XP firewall is disabled) -- I do have
Norton 2003 Pro. I'm using Windows XP Pro on Service Pack 1a, but the
file was created before I installed SP1a
I've checked my process list, and there's nothing running that shouldn't
be.
Has anything seen something similar or know what's causing this?
Thanks.
-- Patrick Fish ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: James C Slora Jr: "RE: Increased Kuang2 activity"
- Previous message: Brenna Primrose: "RE: Suspicious file on Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
