Re: System Hacked

From: H Carvey (keydet89_at_yahoo.com)
Date: 08/23/03

Next message: Dave Killion: "RE: Network IDS"

Previous message: SVater_at_oh.hra.com: "Is anyone else seeing SMURF ?"
Maybe in reply to: malik malik: "System Hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 23 Aug 2003 18:25:19 -0000
To: security-basics@securityfocus.com

('binary' encoding is not supported, stored as-is) In-Reply-To: <20030822081441.61000.qmail@web10008.mail.yahoo.com>

Jai,

>Someone hacked my system.I have SMTP/POP3 running on
>Win XP and working on a LAN and have given permission
>that any one on my LAN can create account.

What application are you using? Exchange? Something else?

>Lastday someone created account and i got the message
>of new account creation and when i checked i found
>that he was trying mutiple SMTP connections TO&FROM
>fake id. i got his ip.

Created account? Did you get notification from the
app, or from the Event Log? What type of monitoring
are you doing?

These multiple connections could be relaying, as with a
worm.

>When i checked the logs from Eventviewer i found that
>Administrator loggedin twice from two different ip
>using the tlntsvr.exe service thts why i am thinking
>that the ip was fake.

If the IP is fake, or spoofed, the login wouldn't have
worked, unless routers had also been hacked.

>Is there any way i can find out how he got access and
>how he entered through tht SMTP port and the history
>tht wht he did on getting the cmd prompt or any other
>tracing trick.

If it's a remote hack, there might be some info on the
system, but to be honest, it isn't really clear what
happened. And where you look depends on what you've
got running on the system.

Harlan

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Dave Killion: "RE: Network IDS"

Previous message: SVater_at_oh.hra.com: "Is anyone else seeing SMURF ?"
Maybe in reply to: malik malik: "System Hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

System Hacked
... Win XP and working on a LAN and have given permission ... Lastday someone created account and i got the message ... that the ip was fake. ... tht wht he did on getting the cmd prompt or any other ...
(Security-Basics)
RE: System Hacked
... tlntsrv.exe is the "Telnet Server". ... Win XP and working on a LAN and have given permission ... Lastday someone created account and i got the message ... tht wht he did on getting the cmd prompt or any other ...
(Security-Basics)
Re: RASd in but not fully connected
... Because when they do a local logon to their machine, ... This will only give them access to machines on the LAN if it ... exactly matches a valid account on the LAN. ... >>validate the connection. ...
(microsoft.public.win2000.ras_routing)
Outlook ignores the specified account when sending mail
... The PC is connected to a LAN which sometimes has access to a DSL internet ... Outlook 2003 is a POP3 standalone configuration. ... select the LAN SMTP account from the accounts ...
(microsoft.public.outlook.installation)
Re: Cracking Passwords in Mere Seconds
... luckily i have no down level clients, ... GPOs (with complex passwords), renaming the admin account, monitoring event ... etc...the LAN should be protected. ...
(microsoft.public.security)