Security Basics mailing list archives
RE: XP Box appears to be compromised
From: "Paul Farag" <paul () farag ws>
Date: Wed, 6 Aug 2003 15:28:45 -0700
Assuming someone's watching the screen, there's a good chance they'll close the connection if they see you doing a netstat while they're connected. Doesn't sound like anything related to terminal services (xp remote desktop) as it'll lock the console session while the remote session is active. VNC, however, is more liberal. Could also be any Trojan. Thoroughly scan the machine (TDS, pestpatrol, antivir, etc.), install a software firewall, find out what ports are being used by what processes (www.diamondcs.com.au, the makers of TDS, make a port monitor that works well). If you find nothing and you're sure the machine has been compromised, format. -----Original Message----- From: chris [mailto:chris09 () linuxmail org] Sent: Wednesday, August 06, 2003 11:40 AM To: security-basics () securityfocus com Subject: Re: XP Box appears to be compromised In-Reply-To: <D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com> Easiest way to do this is to open a prompt on the box and simply type "netstat -a" if theres someone connected to the box it should point you right to their IP address. Chris www.cr-secure.net
Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP
id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT)
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
Subject: XP Box appears to be compromised
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 6 Aug 2003 11:03:31 -0600
Message-ID:
<D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: XP Box appears to be compromised
Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg==
From: "Gregory M. Brown" <gbrown () alvalearning com>
To: <security-basics () securityfocus com>
I've got an issue with what appears to be remote desktop management of
an XP box. It's weird...
There are deliberate mouse movements on this box. I'm assuming it's an
internal person doing this as our FW and Fortinet device will block any
remote seizing of a desktop. I've disabled all the XP remote services,
and it continues to happen. I could bust open packets with sniffer, but
there is a time constraint as the organization laid virtually all IT
people off. Imagine that....
What should I be looking for? I need to nail whoever is doing this.=20
Thanks for any help.
Greg B.
--------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- XP Box appears to be compromised Gregory M. Brown (Aug 06)
- Re: XP Box appears to be compromised James Fields (Aug 07)
- <Possible follow-ups>
- Re: XP Box appears to be compromised chris (Aug 06)
- RE: XP Box appears to be compromised Paul Farag (Aug 07)
- RE: XP Box appears to be compromised JM (Aug 07)
- RE: XP Box appears to be compromised Sean MacLeod (Aug 08)