RE: XP Box appears to be compromised

From: Paul Farag (paul_at_farag.ws)
Date: 08/07/03

  • Next message: J. Lambrecht: "Re: Security Policy-Please help"
    To: <security-basics@securityfocus.com>
    Date: Wed, 6 Aug 2003 15:28:45 -0700
    
    

    Assuming someone's watching the screen, there's a good chance they'll close
    the connection if they see you doing a netstat while they're connected.
    Doesn't sound like anything related to terminal services (xp remote desktop)
    as it'll lock the console session while the remote session is active. VNC,
    however, is more liberal. Could also be any Trojan. Thoroughly scan the
    machine (TDS, pestpatrol, antivir, etc.), install a software firewall, find
    out what ports are being used by what processes (www.diamondcs.com.au, the
    makers of TDS, make a port monitor that works well). If you find nothing
    and you're sure the machine has been compromised, format.

    -----Original Message-----
    From: chris [mailto:chris09@linuxmail.org]
    Sent: Wednesday, August 06, 2003 11:40 AM
    To: security-basics@securityfocus.com
    Subject: Re: XP Box appears to be compromised

    In-Reply-To:
    <D8914909A618614AA32CB22F172F3E2D071A88@dmaul.hoth.alvalearning.com>

    Easiest way to do this is to open a prompt on the box and simply

    type "netstat -a" if theres someone connected to the box it should point

    you right to their IP address.

    Chris

    www.cr-secure.net

    >Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000

    >Received: from outgoing3.securityfocus.com (205.206.231.27)

    > by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000

    >Received: from lists.securityfocus.com (lists.securityfocus.com

    [205.206.231.19])

    > by outgoing3.securityfocus.com (Postfix) with QMQP

    > id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT)

    >Mailing-List: contact security-basics-help@securityfocus.com; run by ezmlm

    >Precedence: bulk

    >List-Id: <security-basics.list-id.securityfocus.com>

    >List-Post: <mailto:security-basics@securityfocus.com>

    >List-Help: <mailto:security-basics-help@securityfocus.com>

    >List-Unsubscribe: <mailto:security-basics-unsubscribe@securityfocus.com>

    >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>

    >Delivered-To: mailing list security-basics@securityfocus.com

    >Delivered-To: moderator for security-basics@securityfocus.com

    >Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000

    >X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0

    >content-class: urn:content-classes:message

    >Subject: XP Box appears to be compromised

    >MIME-Version: 1.0

    >Content-Type: text/plain;

    > charset="US-ASCII"

    >Content-Transfer-Encoding: quoted-printable

    >Date: Wed, 6 Aug 2003 11:03:31 -0600

    >Message-ID:

    <D8914909A618614AA32CB22F172F3E2D071A88@dmaul.hoth.alvalearning.com>

    >X-MS-Has-Attach:

    >X-MS-TNEF-Correlator:

    >Thread-Topic: XP Box appears to be compromised

    >Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg==

    >From: "Gregory M. Brown" <gbrown@alvalearning.com>

    >To: <security-basics@securityfocus.com>

    >

    >I've got an issue with what appears to be remote desktop management of

    >an XP box. It's weird...

    >

    >There are deliberate mouse movements on this box. I'm assuming it's an

    >internal person doing this as our FW and Fortinet device will block any

    >remote seizing of a desktop. I've disabled all the XP remote services,

    >and it continues to happen. I could bust open packets with sniffer, but

    >there is a time constraint as the organization laid virtually all IT

    >people off. Imagine that....

    >

    >What should I be looking for? I need to nail whoever is doing this.=20

    >

    >Thanks for any help.

    >

    >Greg B.

    >

    >

    >

    >--------------------------------------------------------------------------

    -

    >--------------------------------------------------------------------------

    --
    >
    >
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: J. Lambrecht: "Re: Security Policy-Please help"