Re: Please help I have been hacked!!

From: karl [x y] (jamescagney90210@excite.com)
Date: 09/15/02


From: "karl [x y]" <jamescagney90210@excite.com>
Date: Sun, 15 Sep 2002 07:42:37 -0400


There isn't really one piece of software to detect hacking. Unless you can
manually identify which intrusion method was used [hint, look at the logs on
your IIS web and ftp server and firewalls or routers], we can't know what to
look for or which tool to use to do it. I might consider some or all of the
tools below, as these will detect some types of hacking and help prevent
others:

- anti-trojan scanner such as www.pestpatrol.com [they also have a free
open port scanner]
- antivirus scanner like norton that is set to download updates daily, on
all clients and on vulnerable servers as needed
- a file change checker such as the free Languard file integrity checker
from www.gfi.com [download page is hidden under the "white papers" section
on their web site]
- a port scanner such as superscan from www.foundstone.com
- fport or vision from www.foundstone.com [must be run locally, can be
scripted]. Also check out the log analyzer tools there.
- a firewall with logging set up and that blocks outbound connections as
well as inbound [the cheapest firewalls start with Netgear or Linksys at
around $70 US]
- consider firewall software such as sygate for vulnerable clients and
servers
- run one or more vulnerability assessment scanners such as the free
Languard software from www.gfi.com
- run HFNETCHK [available from www.microsoft.com/security or
www.microsoft.com/download ] to scan computers on the network for missing
patches [requires Remote Registry service be running and accessible]

The port scanner will help you to see if other computers are running FTP
servers. Fport will help you tell whether Microsoft IIS FTP server is being
used, or whether the hackers installed their own FTP server software [the
latter is usually somewhat more disturbing]. If the latter is used, the IIS
web server logs will often show exactly how the intrusion took place [look
for any lines containing % or .EXE and that also have a code 200 or 502 in
the line]. If Microsoft FTP server was used, it could be as simple as the
FTP server was set up with the anonymous user having both read and write
access to a folder, which allows this sort of thing.

Using firewall and antivirus is not enough. You also want to have all
service packs and security patches installed on all computers, especially
Microsoft patches, and the computers should also be configured securely
using, for starters, the security checklists at www.microsoft.com/security.
For some of this stuff, such as configuring the firewall, your company
should consider hiring a security consultant, as you'll be hacked again if
it isn't done correctly. Consider reading books such as Hacking Exposed 3rd
edition and maybe Incident Response.

"Alec" <alec34us@yahoo.com> wrote in message
news:13d7c01c25c6c$902c7050$3bef2ecf@TKMSFTNGXA10...
> I just started this IT job on an entry level position.
> The department has a lot of computers and I don't know if
> they are infected too. This happened on and old ladies
> computer. Is there any software available that I can
> purchase to scan the other computers?
>
> Thanks!!
>
> >-----Original Message-----
> >
> >"alec" <alec34us@yahoo.com> wrote in message
> >news:1161501c25c4d$653451c0$37ef2ecf@TKMSFTNGXA13...
> >> Dear Newsgroup,
> >>
> >> I have just realized that my computer at work had been
> >> hacked. It is Windows 2000. Someone has hacked into it
> >> and made it a file server for "Star War" movies. It
> has a
> >> trojen on it. My question is how? Or more important is
> >> there any third party software that I can scan our other
> >> office computers for this. How can I check. I had no
> >> idea this was going on in my computer. I am scared!
> >>
> >> Thanks for any help!!
> >
> >
> >First of all, if you don't have anti-virus software, get
> some. If you do
> >but it doesn't detect it, get Norton Antivirus or
> something that you
> >actually pay for.
> >Second, get a firewall. Any firewall. Delete the movies.
> >But are you sure you were hacked? What if it's your
> friend or son or wife?
> >
> >
> >.
> >



Relevant Pages

  • Re: data upload causes increase in CPU activity and network slowdouwn. (SOLUTION)
    ... I found Zonealarm was the cause of this. ... Simply closing the firewall didn't cure the problem, ... > Very strange behaviour on my home computers here. ... > from my home computer to a remote FTP server, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Black,Blue,andBlack again
    ... then me rebooting more times than I can count. ... seriously and have always used ZoneAlarm, ... This way in the past we have been able to stop our computers from being ... We have now tried using another firewall software called Sygate Personal ...
    (microsoft.public.security)
  • Re: Sharing a printer
    ... Here are general network troubleshooting steps. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ... On the assumption that you in fact do have a router that connects to the Internet and that your computers then connect to the router, then if you think that you have one IP for multiple computers then you probably are using a website tool such as http://whatismyip.com/ That shows the your public IP address -- the one that the rest of the world sees. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networks : Workgroups and Domains. How Do I Use Them?
    ... in My Network Places, it may take some time for a network resource to show up. ... all of the computers must be on the same subnet. ... it depends on whether you have Simple File Sharing enabled or disabled. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
    (microsoft.public.windowsxp.network_web)
  • Re: cannot get XP printer to share with vista PC
    ... You have to set up file/printer sharing first. ... a misconfigured firewall or overlooked firewall (including a stateful ... put all computers in the same Workgroup. ... Select a user account to automatically log on by clicking on the ...
    (microsoft.public.windows.vista.networking_sharing)