RE: XP Box appears to be compromised

["Paul Farag" <paul () farag ws>]

Assuming someone's watching the screen, there's a good chance they'll close
the connection if they see you doing a netstat while they're connected.
Doesn't sound like anything related to terminal services (xp remote desktop)
as it'll lock the console session while the remote session is active.  VNC,
however, is more liberal.  Could also be any Trojan.  Thoroughly scan the
machine (TDS, pestpatrol, antivir, etc.), install a software firewall, find
out what ports are being used by what processes (www.diamondcs.com.au, the
makers of TDS, make a port monitor that works well).  If you find nothing
and you're sure the machine has been compromised, format.

-----Original Message-----
From: chris [mailto:chris09 () linuxmail org] 
Sent: Wednesday, August 06, 2003 11:40 AM
To: security-basics () securityfocus com
Subject: Re: XP Box appears to be compromised

In-Reply-To:
<D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com>

Easiest way to do this is to open a prompt on the box and simply 

type "netstat -a"  if theres someone connected to the box it should point  

you right to their IP address. 



Chris



www.cr-secure.net





> Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000

> Received: from outgoing3.securityfocus.com (205.206.231.27)

>  by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000

> Received: from lists.securityfocus.com (lists.securityfocus.com 

[205.206.231.19])

>       by outgoing3.securityfocus.com (Postfix) with QMQP

>       id DF73DA3163; Wed,  6 Aug 2003 12:18:42 -0600 (MDT)

> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm

> Precedence: bulk

> List-Id: <security-basics.list-id.securityfocus.com>

> List-Post: <mailto:security-basics () securityfocus com>

> List-Help: <mailto:security-basics-help () securityfocus com>

> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>

> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>

> Delivered-To: mailing list security-basics () securityfocus com

> Delivered-To: moderator for security-basics () securityfocus com

> Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000

> X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0

> content-class: urn:content-classes:message

> Subject: XP Box appears to be compromised

> MIME-Version: 1.0

> Content-Type: text/plain;

>       charset="US-ASCII"

> Content-Transfer-Encoding: quoted-printable

> Date: Wed, 6 Aug 2003 11:03:31 -0600

> Message-ID: 

<D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com>

> X-MS-Has-Attach: 

> X-MS-TNEF-Correlator: 

> Thread-Topic: XP Box appears to be compromised

> Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg==

> From: "Gregory M. Brown" <gbrown () alvalearning com>

> To: <security-basics () securityfocus com>

>

> I've got an issue with what appears to be remote desktop management of

> an XP box.  It's weird...

>

> There are deliberate mouse movements on this box.  I'm assuming it's an

> internal person doing this as our FW and Fortinet device will block any

> remote seizing of a desktop.  I've disabled all the XP remote services,

> and it continues to happen.  I could bust open packets with sniffer, but

> there is a time constraint as the organization laid virtually all IT

> people off.  Imagine that....

>

> What should I be looking for?  I need to nail whoever is doing this.=20

>

> Thanks for any help.

>

> Greg B.

>

>

>

> --------------------------------------------------------------------------

-

> --------------------------------------------------------------------------

--

>

>


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------