Re: hacker,virus,spyware? what is it?
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 04/29/03
- Next message: Karl Levinson [x y] mvp: "Re: My Security and Hacking Book Progress"
- Previous message: AS: "Re:Outlook inbox password"
- In reply to: scott: "hacker,virus,spyware? what is it?"
- Next in thread: ScottF: "THX!..Re: hacker,virus,spyware? what is it?"
- Reply: ScottF: "THX!..Re: hacker,virus,spyware? what is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Apr 2003 08:31:16 -0400
What do you see when you look up the target IP addresses at
www.network-tools.com and http://visualroute.visualware.com ? Does that
offer any clues as to what this is? Also, I'd be curious to know what the
protocol [tcp, udp, etc] and the other port number is.. incrementing port
numbers could indicate that these are actually responses to a previously
received communication from a client of some sort.
If this is on your network, another thing to do is to try to track down
where it is. pinging the IP address from the local subnet then doing
ARP -a should hopefully give you the MAC address... then you could
search www.google.com for one of many lists of mac address vendors to see
what type of NIC card it is. These things might advertize your presence to
someone who might be controlling that device, but running free utilities
like NBTSTAT -A ipaddress and/or nmap and/or superscan from
www.foundstone.com/knowledge and/or getacct from www.securityfriday.com
and/or winfingerprint all might give you additional information about who
or what is on that device. An IDS like www.snort.org might also be useful
at some point.
Once you've located the device and interviewed the person that owns or uses
it, the following might be useful in looking for signs of something
malicious:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
"scott" <scottf@starlitetheatre.com> wrote in message
news:043701c30e32$74187760$a301280a@phx.gbl...
> I am a very green administrator of a 50 client network,
> mostly made up of Windows 98 clients. We are running
> Small Business Server in one domain and NT 4.0 on another
> (dont ask why, its a long and ridiculous story LOL). I
> was transferred to this job when our business nearly
> closed down for a few days from a horrible rash of
> bugbear. I recently switched our whole client base over
> to static IP's so I could get a better idea of exactly
> what was happening on our network. Last night as I
> watched the network log incoming from the router, I
> noticed something very strange. There was an IP address
> that read "dead" on the IP scanner, but it was
> broadcasting packets to the internet through an
> incremental series of ports. It started at around port
> #1100 and incremented its way up to over 2000. It was
> broadcasting to the same three or four internet
> addresses. Then it stopped. Then about 5 minutes later it
> started again, this time from a different IP address on
> our network, and broadcasting to several different
> addresses, but this time different ones from before. I
> immediately filtered access to the internet for every
> client that did not absolutely have to have it, but that
> still leaves over 50 IPs for it to use. Does anyone know
> what this is, and/ or what I can do about it?
- Next message: Karl Levinson [x y] mvp: "Re: My Security and Hacking Book Progress"
- Previous message: AS: "Re:Outlook inbox password"
- In reply to: scott: "hacker,virus,spyware? what is it?"
- Next in thread: ScottF: "THX!..Re: hacker,virus,spyware? what is it?"
- Reply: ScottF: "THX!..Re: hacker,virus,spyware? what is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
