Re: greeted by a file transfer

[Keith Reid <Keith.Reid () INGRAMMICRO CA>]

Did your W2K system have terminal services installed on it?  The
additional copy of MMC that was running may have been running under a
terminal login.  Under TaskMan you can show the user that owns/spawned
the task.  For you'd then be able to see the logins being used for each
of the services.  

You can also of course check the terminal services manager to see if
anyone is connected currently.

> -----Original Message-----
> From: Geek, Security [mailto:securitygeek () HUSHMAIL COM]
> Sent: Friday, February 02, 2001 10:25 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: greeted by a file transfer
>
>
> I think I've been hacked, and would like some advice on how 
> to proceed.
>
> This morning my computer popped up with a file transfer box, 
> without my
> taking any direct action initiate the transfer, and I 
> recognized the site
> to which the transfer was headed as a hostile site. Here are 
> the details...
>
> Win2k Advanced Server with SP1 and some security patches 
> (it's been a couple
> of months since I've applied patches). Office 2k installed 
> (unknown patch
> level). Yes, I know this is bad, and I suspect I have learned 
> a good lesson
> here. Other programs that were running when this happened 
> were SETIq, the
> SETI at Home client, Eudora and Outlook Express.
>
> I was logged on as the administrator and I had just 
> downloaded the latest
> version of SETIq and attempted to install it. After I 
> launched the setup.exe
> file, nothing happened. I check the Task Manager and noted 
> setup.exe and
> wow.exe were listed. I ended the setup.exe process and Win2k 
> prompted that
> the 16bit subsystem was unstable and asked if I wanted to 
> reset the 16 bit
> subsystem. I confirmed.
>
> I then noticed that there were two instances of mmc.exe open. 
> I had been
> using the MMC the night before, but had closed all MMC 
> windows before going
> to bed. I ended process on both of them, and immediately 
> after I killed
> the second one, Word for Windows popped up with a gray 
> background (no open
> document) and with a box that said "Transferring file to 
> 'http:\\www.<hostilesite>.org".
> Then a logon dialog popped up.
>
> I sat there with a stupid look on my face for about five 
> seconds. Then I
> shut down all open programs, gracefully shut down the system, 
> and pulled
> the Internet connection. I left home with the system powered off.
>
> I am running a LinkSys router that doubles as a firewall. I 
> haven't verified
> that it is still configured as I last left it, but I know 
> that it was not
> set to forward traffic from unestablished sessions to any 
> internal hosts.
> I had set it to block all outbound traffic on ports 69, 135 
> through 139
> and 445.
>
> I'd like to know if this sounds like an incident to the list, 
> if so what
> exploits would cause Word to launch in this manner and 
> attempt to transfer
> a file, and how should I go about investigating this? This is 
> not a critical
> system, and I can afford to be patient with this. I can (and 
> will likely)
> format and reinstall from CD once this is all settled.
>
> Thanks.