Security Incidents mailing list archives
Re: Possible System Compromise
From: H C <keydet89 () yahoo com>
Date: Tue, 9 Jul 2002 16:27:26 -0700 (PDT)
David, A couple of questions: 1. How does this information that you've provided below relate to the title of "possible system compromise"? 2. Have you retrieved any process information from the system? Using pslist/handle/listdlls from SysInternals, and "netstat -ano" on the XP box, will provide detailed process information. 3. Have the contents of any of these files been examined? Have the MAC times of the files been recorded, and any of them opened in a hex editor, or even Notepad? 4. Has any information been collected from the system, such as open/running services, processes, etc? Has _any_ incident response been done at all? Was auditing enabled on the XP system, such that Process Tracking might provide some information? --- David Baker <bakerd () mitre org> wrote:
All, I have a person that contacted me after some strange files appeared in the root directory of his Windows XP box. This person is remote from me, and I don't have a lot to go on right now, but there are about 30 files that appeared in the root directory: S3no 23KB S3no.1 7KB S3no.2 4KB S3no.3 23KB S3no.4 472KB S3no.5 23KB S3no.6 7KB S3no.7 4KB S3no.8 23KB S3no.9 472KB S3no.a 23KB S3no.b 7KB S3no.c 4KB S3no.d 23KB S3no.e 472KB S3no.f 23KB S3no.g 7KB S3no.h 4KB S3no.i 23KB S3no.j 472KB S3no.k 23KB S3no.l 7KB S3no.m 4KB S3no.n 23KB S3no.o 472KB S3no.p 23KB S3no.q 7KB S3no.r 4KB S3no.s 23KB S3no.t 472KB This sounds familiar to me, but I cannot seem to find anything in my archives about this one. I also couldn't find anything relevant with a couple of searches. Does anyone have a cluebat they can smack me with? The pattern of file sizes is constant. All the files have the same date/time 6/16/2002 at 6:42pm Thanks in advance. Dave B. --
------------------------------------------------------------
David W. Baker bakerd () mitre org Lead INFOSEC Engineer G023 - Secure Information Technology (703) 883-3658 The MITRE Corporation (703) 883-4589 (F) Mailstop W435 7515 Colshire Drive McLean, VA, 22102
------------------------------------------------------------
"Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding..." - William Gibson, "Neuromancer" "640K ought to be enough for anybody." - Bill Gates, 1981
-------------------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
__________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible System Compromise David Baker (Jul 09)
- Re: Possible System Compromise H C (Jul 09)
- <Possible follow-ups>
- RE: Possible System Compromise Mike Hrubes (Jul 09)
- RE: Possible System Compromise Willsey, Rob (CCI-Omaha) (Jul 09)