RE: XP Box appears to be compromised

From: Paul Farag (paul_at_farag.ws)
Date: 08/07/03

  • Next message: J. Lambrecht: "Re: Security Policy-Please help" 
    To: <security-basics@securityfocus.com>
Date: Wed, 6 Aug 2003 15:28:45 -0700

    Assuming someone's watching the screen, there's a good chance they'll close
    the connection if they see you doing a netstat while they're connected.
    Doesn't sound like anything related to terminal services (xp remote desktop)
    as it'll lock the console session while the remote session is active. VNC,
    however, is more liberal. Could also be any Trojan. Thoroughly scan the
    machine (TDS, pestpatrol, antivir, etc.), install a software firewall, find
    out what ports are being used by what processes (www.diamondcs.com.au, the
    makers of TDS, make a port monitor that works well). If you find nothing
    and you're sure the machine has been compromised, format.

    -----Original Message-----
    From: chris [mailto:chris09@linuxmail.org]
    Sent: Wednesday, August 06, 2003 11:40 AM
    To: security-basics@securityfocus.com
    Subject: Re: XP Box appears to be compromised

    In-Reply-To:
    <D8914909A618614AA32CB22F172F3E2D071A88@dmaul.hoth.alvalearning.com>

    Easiest way to do this is to open a prompt on the box and simply

    type "netstat -a" if theres someone connected to the box it should point

    you right to their IP address.

    Chris

    www.cr-secure.net

    >Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000

    >Received: from outgoing3.securityfocus.com (205.206.231.27)

    > by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000

    >Received: from lists.securityfocus.com (lists.securityfocus.com

    [205.206.231.19])

    > by outgoing3.securityfocus.com (Postfix) with QMQP

    > id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT)

    >Mailing-List: contact security-basics-help@securityfocus.com; run by ezmlm

    >Precedence: bulk

    >List-Id: <security-basics.list-id.securityfocus.com>

    >List-Post: <mailto:security-basics@securityfocus.com>

    >List-Help: <mailto:security-basics-help@securityfocus.com>

    >List-Unsubscribe: <mailto:security-basics-unsubscribe@securityfocus.com>

    >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>

    >Delivered-To: mailing list security-basics@securityfocus.com

    >Delivered-To: moderator for security-basics@securityfocus.com

    >Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000

    >X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0

    >content-class: urn:content-classes:message

    >Subject: XP Box appears to be compromised

    >MIME-Version: 1.0

    >Content-Type: text/plain;

    > charset="US-ASCII"

    >Content-Transfer-Encoding: quoted-printable

    >Date: Wed, 6 Aug 2003 11:03:31 -0600

    >Message-ID:

    <D8914909A618614AA32CB22F172F3E2D071A88@dmaul.hoth.alvalearning.com>

    >X-MS-Has-Attach:

    >X-MS-TNEF-Correlator:

    >Thread-Topic: XP Box appears to be compromised

    >Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg==

    >From: "Gregory M. Brown" <gbrown@alvalearning.com>

    >To: <security-basics@securityfocus.com>

    >

    >I've got an issue with what appears to be remote desktop management of

    >an XP box. It's weird...

    >

    >There are deliberate mouse movements on this box. I'm assuming it's an

    >internal person doing this as our FW and Fortinet device will block any

    >remote seizing of a desktop. I've disabled all the XP remote services,

    >and it continues to happen. I could bust open packets with sniffer, but

    >there is a time constraint as the organization laid virtually all IT

    >people off. Imagine that....

    >

    >What should I be looking for? I need to nail whoever is doing this.=20

    >

    >Thanks for any help.

    >

    >Greg B.

    >

    >

    >

    >--------------------------------------------------------------------------

    -

    >-------------------------------------------------------------------------- 

    --
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: J. Lambrecht: "Re: Security Policy-Please help"

    Relevant Pages

    • Re: Sendmail says No, But netstat says Yes
      ... connection from ever taking place and thus never be reported by netstat. ... When I blocked the machines in question, ... Why didn't tcp wrapping work? ...
      (comp.mail.sendmail)
    • How to troubleshoot this?
      ... The address appears to belong to GoDaddy. ... The only strange thing I see in netstat is a number of processes ... (I happen to pick ssh as I have only one connection, character-based, ... not a question on ssh operation, just an example of the weird ...
      (comp.os.linux.networking)
    • Re: What is going on with my Dialup?
      ... watching the lights on an external modem and they are revealing some ... OTHER THAN THAT, your connection ... Let's start by not using a browser. ... Figure out where the command line is, and run 'netstat -anptu' and see ...
      (comp.os.linux.networking)
    • Re: host190.216.26.168.maximumasp.com:80 CLOSE_WAIT
      ... Maximumasp.com appears to be a legitimate website and your netstat results ... > If pc is connected to the network and sometimes I do a netstat, ... > establish the connection. ...
      (microsoft.public.security)
    • Re: Sniffer for Windows That Shows Process ID?
      ... Netstat is not a *historical* trace of packets. ... If your application is to associate a listening port with a process, ... sequence of components involved in creating the connection ...
      (microsoft.public.security)