Re: Please help I have been hacked!!

From: karl [x y] (jamescagney90210@excite.com)
Date: 09/15/02 

From: "karl [x y]" <jamescagney90210@excite.com>
Date: Sun, 15 Sep 2002 07:42:37 -0400

There isn't really one piece of software to detect hacking. Unless you can
manually identify which intrusion method was used [hint, look at the logs on
your IIS web and ftp server and firewalls or routers], we can't know what to
look for or which tool to use to do it. I might consider some or all of the
tools below, as these will detect some types of hacking and help prevent
others:

- anti-trojan scanner such as www.pestpatrol.com [they also have a free
open port scanner]
- antivirus scanner like norton that is set to download updates daily, on
all clients and on vulnerable servers as needed
- a file change checker such as the free Languard file integrity checker
from www.gfi.com [download page is hidden under the "white papers" section
on their web site]
- a port scanner such as superscan from www.foundstone.com
- fport or vision from www.foundstone.com [must be run locally, can be
scripted]. Also check out the log analyzer tools there.
- a firewall with logging set up and that blocks outbound connections as
well as inbound [the cheapest firewalls start with Netgear or Linksys at
around $70 US]
- consider firewall software such as sygate for vulnerable clients and
servers
- run one or more vulnerability assessment scanners such as the free
Languard software from www.gfi.com
- run HFNETCHK [available from www.microsoft.com/security or
www.microsoft.com/download ] to scan computers on the network for missing
patches [requires Remote Registry service be running and accessible]

The port scanner will help you to see if other computers are running FTP
servers. Fport will help you tell whether Microsoft IIS FTP server is being
used, or whether the hackers installed their own FTP server software [the
latter is usually somewhat more disturbing]. If the latter is used, the IIS
web server logs will often show exactly how the intrusion took place [look
for any lines containing % or .EXE and that also have a code 200 or 502 in
the line]. If Microsoft FTP server was used, it could be as simple as the
FTP server was set up with the anonymous user having both read and write
access to a folder, which allows this sort of thing.

Using firewall and antivirus is not enough. You also want to have all
service packs and security patches installed on all computers, especially
Microsoft patches, and the computers should also be configured securely
using, for starters, the security checklists at www.microsoft.com/security.
For some of this stuff, such as configuring the firewall, your company
should consider hiring a security consultant, as you'll be hacked again if
it isn't done correctly. Consider reading books such as Hacking Exposed 3rd
edition and maybe Incident Response.

"Alec" <alec34us@yahoo.com> wrote in message
news:13d7c01c25c6c$902c7050$3bef2ecf@TKMSFTNGXA10...
> I just started this IT job on an entry level position.
> The department has a lot of computers and I don't know if
> they are infected too. This happened on and old ladies
> computer. Is there any software available that I can
> purchase to scan the other computers?
>
> Thanks!!
>
> >-----Original Message-----
> >
> >"alec" <alec34us@yahoo.com> wrote in message
> >news:1161501c25c4d$653451c0$37ef2ecf@TKMSFTNGXA13...
> >> Dear Newsgroup,
> >>
> >> I have just realized that my computer at work had been
> >> hacked. It is Windows 2000. Someone has hacked into it
> >> and made it a file server for "Star War" movies. It
> has a
> >> trojen on it. My question is how? Or more important is
> >> there any third party software that I can scan our other
> >> office computers for this. How can I check. I had no
> >> idea this was going on in my computer. I am scared!
> >>
> >> Thanks for any help!!
> >
> >
> >First of all, if you don't have anti-virus software, get
> some. If you do
> >but it doesn't detect it, get Norton Antivirus or
> something that you
> >actually pay for.
> >Second, get a firewall. Any firewall. Delete the movies.
> >But are you sure you were hacked? What if it's your
> friend or son or wife?
> >
> >
> >.
> >

Relevant Pages

  • Re: data upload causes increase in CPU activity and network slowdouwn. (SOLUTION)
    ... I found Zonealarm was the cause of this. ... Simply closing the firewall didn't cure the problem, ... > Very strange behaviour on my home computers here. ... > from my home computer to a remote FTP server, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Black,Blue,andBlack again
    ... then me rebooting more times than I can count. ... seriously and have always used ZoneAlarm, ... This way in the past we have been able to stop our computers from being ... We have now tried using another firewall software called Sygate Personal ...
    (microsoft.public.security)
  • Re: Reverting Wireless to Wired Network.
    ... I worked with Norton Firewall (disabling, ... telling me to talk to my "network administrator". ... Now none of the three computers can talk to anything, ... > uninstalled a firewall program, reinstall it and then uninstall it. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Trying to network two XP computers - help needed.
    ... I have 2 computers that I am trying to connect to eachother. ... The error I get when trying to click through in the microsoft network ... Both computers are running the Microsoft firewall, ... Both computers have 'Guest' Account enabled. ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: networking xp to vista
    ... My xp computer sees the vista and shows the C: ... start by running the Network Setup Wizard on all machines (see ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ... put all computers in the same Workgroup. ...
    (microsoft.public.windows.vista.networking_sharing)