Re: Proxy stealing journal access

["Rajewski, Jonathan" <rajewski () CHAMPLAIN EDU>]

I recommend getting this laptop to a forensics expert. The more you poke
around that machine the more you change data that might help you understand
the gravity of the situation.

Jon
On Oct 6, 2014 10:27 PM, "Andrew Daviel" <advax () triumf ca> wrote:

> We have an institutional subscription to a number of scientific journals,
> where our IPv4 address block is whitelisted so we can do searches without
> logging in per-user.
>
> Recently we had a complaint from SAE about unusual activity on our
> account. Their logs show downloads of some papers all from January 1994,
> from one of our laptops and also from an address from China Mobile.
> At the time in question, our network logs show a connection from the China
> Mobile address to the laptop - apparently a Web proxy on port 9064.
>
> So it looks like there is something on our laptop that allows a remote
> user to download journal papers using our subscription.
>
> When I look on the laptop, I can't find it. The laptop was rebooted, but I
> had expected something like Squid to start up again. There seem to be no
> common ports open. I'd half expected something simple installed by a user -
> VNC or logmein - but I don't see that.
>
> It's an older machine running XP with a few "possibly harmless" adwares, a
> couple of which I've cleared out.
>
> Has anyone seen anything like this ?
>
> I read things in the media about industrial espionage from China, so I'm
> half thinking "APT", but on the other hand it may be a wild goose chase.
>
> I'm running malwarebytes, which has turned up a few "potentially unwanted
> programs" but nothing really obvious. My usual Linux technique of looking
> for changed files is stymied because the users installed a lot of
> legitimate programs right around the same time - LabView etc.
>
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> Network Security Manager