AW: XP Box appears to be compromised

From: Meidinger Chris (chris.meidinger_at_badenit.de)
Date: 08/07/03

Next message: dagreat1_at_hush.com: "Unrecognized folder in Hotmail Inbox."

Previous message: Meidinger Chris: "AW: User Tracking & Audit on Unix Systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'gbrown@alvalearning.com'" <gbrown@alvalearning.com>, security-basics@securityfocus.com
Date: Thu, 7 Aug 2003 08:30:32 +0100

If that doesn't work, then download winlibpcap and ethereal, install, but on
hub with computer or switch span port
start ethereal
say 'start filtering' and use the filter string 'src host MY_IP or dst host
MY_IP' without apostrophe and replacing MY_IP with the IP address of the
machine
should have everything done in 30 minutes

the advantage of this approach is that you can save the network traffic. if
this thing escalates into an administrative action (firing, discipline,
etc.) you want to have that stuff recorded, and you want a second person who
can testify that person x was using ip y during the illegal movements.

badenIT GmbH
System Support

Chris Meidinger
Tullastrasse 70
79108 Freiburg

______________

Es gibt 10 arten von Menschen auf dem Planeten,
welche die Binär verstehen, und welche die es nicht tun.

-----Ursprüngliche Nachricht-----
Von: chris [mailto:chris09@linuxmail.org]
Gesendet: Wednesday, August 06, 2003 8:40 PM
An: security-basics@securityfocus.com
Betreff: Re: XP Box appears to be compromised

In-Reply-To:
<D8914909A618614AA32CB22F172F3E2D071A88@dmaul.hoth.alvalearning.com>

Easiest way to do this is to open a prompt on the box and simply
type "netstat -a" if theres someone connected to the box it should point
you right to their IP address.

Chris

www.cr-secure.net

>Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT)
>Mailing-List: contact security-basics-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <security-basics.list-id.securityfocus.com>
>List-Post: <mailto:security-basics@securityfocus.com>
>List-Help: <mailto:security-basics-help@securityfocus.com>
>List-Unsubscribe: <mailto:security-basics-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
>Delivered-To: mailing list security-basics@securityfocus.com
>Delivered-To: moderator for security-basics@securityfocus.com
>Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>content-class: urn:content-classes:message
>Subject: XP Box appears to be compromised
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="US-ASCII"
>Content-Transfer-Encoding: quoted-printable
>Date: Wed, 6 Aug 2003 11:03:31 -0600
>Message-ID:
<D8914909A618614AA32CB22F172F3E2D071A88@dmaul.hoth.alvalearning.com>
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>Thread-Topic: XP Box appears to be compromised
>Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg==
>From: "Gregory M. Brown" <gbrown@alvalearning.com>
>To: <security-basics@securityfocus.com>
>
>I've got an issue with what appears to be remote desktop management of
>an XP box. It's weird...
>
>There are deliberate mouse movements on this box. I'm assuming it's an
>internal person doing this as our FW and Fortinet device will block any
>remote seizing of a desktop. I've disabled all the XP remote services,
>and it continues to happen. I could bust open packets with sniffer, but
>there is a time constraint as the organization laid virtually all IT
>people off. Imagine that....
>
>What should I be looking for? I need to nail whoever is doing this.=20
>
>Thanks for any help.
>
>Greg B.
>
>
>
>--------------------------------------------------------------------------
-
>--------------------------------------------------------------------------

--
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: dagreat1_at_hush.com: "Unrecognized folder in Hotmail Inbox."

Previous message: Meidinger Chris: "AW: User Tracking & Audit on Unix Systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Windows mobile 5/activesync4/bluetooth over ethernet
... Not wishing to clutter usefull threads or waste time arguing, ... I would take your points regarding security, ... these points in regards remote activesync. ... > Chris De Herrera ...
(microsoft.public.pocketpc.activesync)
Re: Hey, Leythos!
... They have SBS 2003 and a Windows 2000 terminal server that may ... and workstations, including the remote sites and laptops, and Vamsoft ORF ... VPN, ... Well, implement HTTP Proxy filtering and blocking of what you want, from ...
(microsoft.public.windows.server.sbs)
Re: Restricting access to a live stream
... Ingress filtering might be better than application level ... It clearly shows you how to set a remote IP range and how to "Deny" ... because the firewall will not let through ...
(microsoft.public.windowsmedia.encoder)
Re: Hey, Leythos!
... Remote sites are connecting only via TS right now...no VPN yet. ... remote sites that use a terminal server for access to the main site's ... Well, implement HTTP Proxy filtering and blocking of what you want, from ...
(microsoft.public.windows.server.sbs)
Re: Need small office firewall rec ASAP
... Chris Lowth wrote: ... >> total of 10 PCs on the network though not all need to get to the outside. ... >> especially once you add in the AV and filtering, ... > Both work well - I use Smoothwall at church and IPCop at home. ...
(comp.security.firewalls)