Re: hackerZZzzzz

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 07/13/03 

Date: Sun, 13 Jul 2003 10:46:28 -0400

Try SIM which is free from www.gfi.com It detects suspicious changes in
files which can indicate intrusion. I assume that's something like what
Keith was referring to. Also, just generally speaking, it's easier to
determine whether a system has been hacked if you run the tools and commands
that might detect hacking [netstat -a, fport from foundstone.com/knowledge,
msconfig or startup cop, firewall or sniffer logs such as ethereral or
windump or sygate firewall or snort, etc.] before you think you have been
hacked, so that you know what the system looked like during normal use, e.g.
a baseline.

"mAx" <bigblue@mailbolt.com> wrote in message
news:078001c34865$71eead70$a301280a@phx.gbl...
> Thanks for that!
>
> Yes - I think that is 'all' they are doing but will prob
> rebuild all from scratch as advised...
>
> Keith - any chance you could let me know what you mean by
>
> "If you're not using any type of file system baseline or
> integrity tool,"
>
> nothing I've ever heard of...
>
> many thanks again! :)
>
> mAx
>
> >-----Original Message-----
> >Max,
> >
> >They're probably doing nothing more scary than uploading
> files to the
> >wide open ftp server you are running.
> >
> >The best advice I can offer is to take the server
> offline asap, back
> >up any important files you need to keep and format and
> re-install from
> >scratch.
> >
> >Don't put the server back online until you have
> installed the latest
> >service pack and security patches. If you don't use the
> ftp service
> >disable it or at least disallow anonymous ftp to your
> server. If you
> >don't need the IIS services don't install them.
> >
> >Start here :
> >http://www.microsoft.com/technet/treeview/default.asp?
> url=/technet/security/default.asp
> >
> >Regards,
> >
> >Paul Lynch
> >MCSE
> >
> >
> >
> >"mAx" <bigblue@mailbolt.com> wrote in message
> news:<008801c347d9$b2228d30$a601280a@phx.gbl>...
> >> YIKES!!
> >>
> >> that sounds scary....
> >>
> >> zombies sounds like the term! It is as if they don't
> exist
> >> on the drive whenever I try to delete/copy/cut etc
> >>
> >> many thanks for the info on 'packet sniffers' (heard
> of
> >> them but never had the need to try them out! here's my
> >> chance I guess!)
> >>
> >> will see what I can find
> >>
> >> thanks again!
> >>
> >> mAx
> >>
> >> PS - it is the D:\ drive they are compromising - do
> you
> >> think best to do complete format/install to get rid of
> >> everything for sure?
> >>
> >> >-----Original Message-----
> >> >Any packet sniffer: windump, ethereal, etc. Although
> if
> >> you know the system
> >> >is compromised, you should take it off-line right
> away.
> >> Capturing the
> >> >traffic isn't going to do you any good--the systems
> that
> >> they're using to
> >> >transfer the files are likely compromised/zombies as
> well.
> >> >
> >> >"max towns" <bigblue@mailbolt.com> wrote in message
> >> >news:012b01c347d4$85891be0$a401280a@phx.gbl...
> >> >> Hello!
> >> >>
> >> >> trying to find some info on getting rid of unwanted
> >> >> folders created by hackers on my webserver....
> they've
> >> >> been using it as a file transferring location (and
> are
> >> >> possibly watching me type this as I speak as I have
> just
> >> >> seen that have uploaded some terminal server setup
> stuff
> >> >> in the last five minutes! - hello if you're
> watching!)
> >> >>
> >> >> not that I'm paranoid or anything... but they're
> all
> >> over
> >> >> me!!
> >> >>
> >> >> haha
> >> >>
> >> >> what people do for a bit of fun eh...
> >> >>
> >> >> anyway - will prob just format the drive and be
> done but
> >> >> would be nice to know for future reference...
> >> >>
> >> >> (anyone know how to check where exactly the data
> that is
> >> >> reported in the status as being sent and received
> for
> >> the
> >> >> network/internet connection - is going to?)
> >> >>
> >> >> MAny many thanks for any help :)
> >> >>
> >> >> mAx
> >> >
> >> >
> >> >.
> >> >
> >.
> >

Quantcast