Re: Intrusion Question
From: Mark St Laurent (stormrunner'_removethis'_at_comcast.net)
Date: Wed, 16 Feb 2005 17:26:44 GMT
We do not have any linux or non server unix boxes to run sniffer from. What
is the most popular sniffer ported to windows that I could set up and learn
"winged" <email@example.com> wrote in message
> Michael J. Pelletier wrote:
>> Mark St Laurent wrote:
>>>Is it possable for someone to be remote controlling a machine IE moving
>>>mouse opening programs etc. without showing an active connection in the
>>>output of netstat -a. I saw this happen today but think being the user
>>>wireless keyboard and mouse attached to his PC that he might be getting
>>>crossed with another wireless keyboard mouse at a adjacent machine. No
>>>intruder was listed and if I VNC into same machine it shows connection
>>>established at port 5900 for example. RDP and VNC (3383 & 5900 only are
>>>excepted but confined to local subnet) otherwise full XPSP2 firewall
>>>I have never posted to this group before, if not on topic please redirect
>>>me to correct group.
>> First, if it were a hack, it is possible to install a hacked version of
>> netstat (or any binary) that was programmed no to list a specific IP,
>> I am not saying that this is your situation but, yes it is possible. This
>> used has a wireless keyboard and mouse? If so, try putting him back on
>> regular keyboard and mouse. See if it happens then.
>> The only thing that bothers me is, if it were some kind of "cross talk"
>> wireless keyboards and mice interfering with each other) I would think
>> the movement would be erratic. Was the mouse movement erratic?
> It is also possible to hide communications and programs in alternate data
> I would consider setting up a sniffer after I went back to wired
> Yes it is possible to hide communications from netstat using several
> programic methods. A number of remote control Trojans are very capable of
> hiding the communications from the local machine and very difficult to
> detect using standard IDS tools, as the attacker may be using a known
> encrypted port (such as 443) for communications. It is fairly easy to
> "hide" the communication from netstat. This is easiest to do by adding a
> winsock modification to the local system, but can be accomplished via an
> activeX control or service or other imagined choices. You can also hide
> services so that the task manager pane does not display the running
> process. Sometimes administrators or security folks must do this as well,
> however ideally they would not go into control mode. Back Orifice for
> example does this better than some better than some well known remote
> administration tools.
> I would run a number of tools to try to track remote controller
> activities, the sniffer will provide where the system is communicating
> with and will be much easier to identify the communication. I would then
> rebuild the system once proper enforcement entity gave direction to do so.