Security Incidents mailing list archives
Re: maybe a simple problem
From: "Michael Anuzis" <michael_anuzis () hotmail com>
Date: Thu, 03 Oct 2002 06:44:58 -0400
Another thing you might try, since it's a win98 machine that was hacked and *all* the developed trojans I've heard of that would work on win98 either use TCP or UDP, would be a simple port scan. Port scan TCP, port scan UDP, make sure *every single port* is checked. When a high port shows up that is suspicious you may have nailed your problem right there. You may even get lucky if the offenders haven't changed the default port and your port scanner (like nmap) would be able to tell you which trojan it is right then/there.
From my experience, the 3 most common you may want to have him look for
would be: *1. SubSeven 2. Back Orifice 3. Master's ParadiseKeep in mind though, if you find one there's a very good chance there is another that was installed as a backup, almost anticipating that one be discovered.
Good luck --Michael
From: "Igor D. Spivak" <urbanachiever () attbi com> To: "Andrew Fison" <afison () brit-tex net>,<incidents () securityfocus com> Subject: Re: maybe a simple problem Date: Wed, 2 Oct 2002 12:49:32 -0700 the way to track that is not trough netstat (is too dependent on chance),but rather through a process/loaded dll list from an infected machine, beingcompared to a similar list on a known good machine and all non-matching entries researched. now then http://www.sysinternals.com/win9x/98utilities.shtml this should help you. also, what does the telescope look like (just curious). regards, IDS ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Michael Anuzis, CCNA Network Security Consultant http://www.anuzisnetworking.com http://www.lucidic.net - The Distributed Honeypot Project _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: maybe a simple problem Brooke, O'neil (EXP) (Oct 02)
- <Possible follow-ups>
- Re: maybe a simple problem Michael Anuzis (Oct 03)
- RE: maybe a simple problem Robinson, Sonja (Oct 03)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Robinson, Sonja (Oct 04)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Clayton Hoskinson (Oct 05)
- RE: maybe a simple problem Jeff Peterson (Oct 05)
- RE: maybe a simple problem Hugo van der Kooij (Oct 05)
- Re: maybe a simple problem tabrams (Oct 05)
- RE: maybe a simple problem Rob Keown (Oct 05)