Security Incidents mailing list archives
RE: I think I've been hacked...please help!
From: "Arnold, Jamie" <harnold () binghamton edu>
Date: Mon, 8 Apr 2002 16:06:34 -0400
All: I have several machines that are using excessive bandwidth. Upon inspection, I find multiple connections to servers with names like irc.badguuy.com, etc... On 6667. Incoming connections are random although 1067 seems to be a common one. I have 4 instances of cmd.exe running and 2 of win.exe While it looks like Egghead, the reg entries aren't there nor the directories/files. These machines all had an account ID of Microsoft with admin privs on them. They don't connect to a domain and were setup by the department "tech" person who left them wide open. What is confusing to me is that one of them uses our Exchange server which is protected by Antigen (and I pull nearly every extension known to man) and McAffee on the desktop. I can't find anything that matches this. Anyone have any insight? Thanks J ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- I think I've been hacked...please help! Joe Warner (Mar 31)
- Re: I think I've been hacked...please help! Ryan Russell (Apr 01)
- Re: I think I've been hacked...please help! Crist J. Clark (Apr 01)
- Re: I think I've been hacked...please help! Hugo van der Kooij (Apr 01)
- Message not available
- Re: I think I've been hacked...please help! Joe Warner (Apr 01)
- <Possible follow-ups>
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 08)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Pepijn Vissers (Apr 09)
- RE: I think I've been hacked...please help! KoRe MeLtDoWn (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)