Re: Intrusion Question

From: Mark St Laurent (stormrunner'_removethis'_at_comcast.net)
Date: 02/16/05


Date: Wed, 16 Feb 2005 17:26:44 GMT

We do not have any linux or non server unix boxes to run sniffer from. What
is the most popular sniffer ported to windows that I could set up and learn
to use.
"winged" <winged@nofollow.com> wrote in message
news:cuul0a$a0j@dispatch.concentric.net...
> Michael J. Pelletier wrote:
>> Mark St Laurent wrote:
>>
>>
>>>Is it possable for someone to be remote controlling a machine IE moving
>>>mouse opening programs etc. without showing an active connection in the
>>>output of netstat -a. I saw this happen today but think being the user
>>>had
>>>wireless keyboard and mouse attached to his PC that he might be getting
>>>crossed with another wireless keyboard mouse at a adjacent machine. No
>>>intruder was listed and if I VNC into same machine it shows connection
>>>established at port 5900 for example. RDP and VNC (3383 & 5900 only are
>>>excepted but confined to local subnet) otherwise full XPSP2 firewall
>>>features enabled.
>>>
>>>I have never posted to this group before, if not on topic please redirect
>>>me to correct group.
>>
>>
>> First, if it were a hack, it is possible to install a hacked version of
>> netstat (or any binary) that was programmed no to list a specific IP,
>> etc.
>> I am not saying that this is your situation but, yes it is possible. This
>> used has a wireless keyboard and mouse? If so, try putting him back on
>> the
>> regular keyboard and mouse. See if it happens then.
>>
>> The only thing that bothers me is, if it were some kind of "cross talk"
>> (two
>> wireless keyboards and mice interfering with each other) I would think
>> that
>> the movement would be erratic. Was the mouse movement erratic?
>>
>> Michael
>>
> It is also possible to hide communications and programs in alternate data
> streams.
>
> I would consider setting up a sniffer after I went back to wired
> configuration.
>
> Yes it is possible to hide communications from netstat using several
> programic methods. A number of remote control Trojans are very capable of
> hiding the communications from the local machine and very difficult to
> detect using standard IDS tools, as the attacker may be using a known
> encrypted port (such as 443) for communications. It is fairly easy to
> "hide" the communication from netstat. This is easiest to do by adding a
> winsock modification to the local system, but can be accomplished via an
> activeX control or service or other imagined choices. You can also hide
> services so that the task manager pane does not display the running
> process. Sometimes administrators or security folks must do this as well,
> however ideally they would not go into control mode. Back Orifice for
> example does this better than some better than some well known remote
> administration tools.
>
> I would run a number of tools to try to track remote controller
> activities, the sniffer will provide where the system is communicating
> with and will be much easier to identify the communication. I would then
> rebuild the system once proper enforcement entity gave direction to do so.
>
> Winged