Re: Possible System Compromise

[H C <keydet89 () yahoo com>]

David,

A couple of questions:

1.  How does this information that you've provided
below relate to the title of "possible system
compromise"?

2.  Have you retrieved any process information from
the system?  Using pslist/handle/listdlls from
SysInternals, and "netstat -ano" on the XP box, will
provide detailed process information.

3.  Have the contents of any of these files been
examined?  Have the MAC times of the files been
recorded, and any of them opened in a hex editor, or
even Notepad?

4.  Has any information been collected from the
system, such as open/running services, processes, etc?
 Has _any_ incident response been done at all?  Was
auditing enabled on the XP system, such that Process
Tracking might provide some information?


--- David Baker <bakerd () mitre org> wrote:
> All,
>    I have a person that contacted me after some
> strange files appeared in the
> root directory of his Windows XP box.  This person
> is remote from me, and I
> don't have a lot to go on right now, but there are
> about 30 files that appeared
> in the root directory:
> S3no            23KB 
> S3no.1           7KB 
> S3no.2           4KB
> S3no.3          23KB
> S3no.4         472KB
> S3no.5          23KB
> S3no.6           7KB
> S3no.7           4KB
> S3no.8          23KB
> S3no.9         472KB
> S3no.a          23KB
> S3no.b           7KB
> S3no.c           4KB
> S3no.d          23KB
> S3no.e         472KB
> S3no.f          23KB
> S3no.g           7KB
> S3no.h           4KB
> S3no.i          23KB
> S3no.j         472KB
> S3no.k          23KB
> S3no.l           7KB
> S3no.m           4KB
> S3no.n          23KB
> S3no.o         472KB
> S3no.p          23KB
> S3no.q           7KB
> S3no.r           4KB
> S3no.s          23KB
> S3no.t         472KB
>
> This sounds familiar to me, but I cannot seem to
> find anything in my archives
> about this one.  I also couldn't find anything
> relevant with a couple of
> searches.  Does anyone have a cluebat they can smack
> me with?  The pattern of
> file sizes is constant.  All the files have the same
> date/time
> 6/16/2002 at 6:42pm
> Thanks in advance.
> Dave B.
>
> -- 
------------------------------------------------------------
>  David W. Baker                           
> bakerd () mitre org
>  Lead INFOSEC Engineer
>  G023 - Secure Information Technology      (703)
> 883-3658
>  The MITRE Corporation                     (703)
> 883-4589 (F)
>  Mailstop W435                             
>  7515 Colshire Drive                       McLean,
> VA, 22102
------------------------------------------------------------
>  "Cyberspace. A consensual hallucination experienced
> daily by
>  billions of legitimate operators, in every nation,
> by 
>  children being taught mathematical concepts... A
> graphic
>  representation of data abstracted from the banks of
> every
>  computer in the human system.  Unthinkable
> complexity.  Lines 
>  of light ranged in the nonspace of the mind,
> clusters and
>  constellations of data.  Like city lights,
> receding..."
>  - William Gibson, "Neuromancer" 
>  
>  "640K ought to be enough for anybody." - Bill
> Gates, 1981 
-------------------------------------------------------------
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com