Security Incidents mailing list archives
Re: greeted by a file transfer
From: Keith Reid <Keith.Reid () INGRAMMICRO CA>
Date: Sun, 4 Feb 2001 17:53:42 -0500
Did your W2K system have terminal services installed on it? The additional copy of MMC that was running may have been running under a terminal login. Under TaskMan you can show the user that owns/spawned the task. For you'd then be able to see the logins being used for each of the services. You can also of course check the terminal services manager to see if anyone is connected currently.
-----Original Message----- From: Geek, Security [mailto:securitygeek () HUSHMAIL COM] Sent: Friday, February 02, 2001 10:25 AM To: INCIDENTS () SECURITYFOCUS COM Subject: greeted by a file transfer I think I've been hacked, and would like some advice on how to proceed. This morning my computer popped up with a file transfer box, without my taking any direct action initiate the transfer, and I recognized the site to which the transfer was headed as a hostile site. Here are the details... Win2k Advanced Server with SP1 and some security patches (it's been a couple of months since I've applied patches). Office 2k installed (unknown patch level). Yes, I know this is bad, and I suspect I have learned a good lesson here. Other programs that were running when this happened were SETIq, the SETI at Home client, Eudora and Outlook Express. I was logged on as the administrator and I had just downloaded the latest version of SETIq and attempted to install it. After I launched the setup.exe file, nothing happened. I check the Task Manager and noted setup.exe and wow.exe were listed. I ended the setup.exe process and Win2k prompted that the 16bit subsystem was unstable and asked if I wanted to reset the 16 bit subsystem. I confirmed. I then noticed that there were two instances of mmc.exe open. I had been using the MMC the night before, but had closed all MMC windows before going to bed. I ended process on both of them, and immediately after I killed the second one, Word for Windows popped up with a gray background (no open document) and with a box that said "Transferring file to 'http:\\www.<hostilesite>.org". Then a logon dialog popped up. I sat there with a stupid look on my face for about five seconds. Then I shut down all open programs, gracefully shut down the system, and pulled the Internet connection. I left home with the system powered off. I am running a LinkSys router that doubles as a firewall. I haven't verified that it is still configured as I last left it, but I know that it was not set to forward traffic from unestablished sessions to any internal hosts. I had set it to block all outbound traffic on ports 69, 135 through 139 and 445. I'd like to know if this sounds like an incident to the list, if so what exploits would cause Word to launch in this manner and attempt to transfer a file, and how should I go about investigating this? This is not a critical system, and I can afford to be patient with this. I can (and will likely) format and reinstall from CD once this is all settled. Thanks.
Current thread:
- greeted by a file transfer Geek, Security (Feb 02)
- <Possible follow-ups>
- Re: greeted by a file transfer Keith Reid (Feb 04)