Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Folder

From: Neil Dickey <neil () geol niu edu>
Date: Sun, 6 Oct 2002 11:11:30 -0500 (CDT)
discipulus <rootman22 () attbi com> wrote asking:


The other day I noticed a strange folder had been created
on my W2K Pro machine at work.


[ ... ]


Has my account/PC been compromised?


That would be a strong first working hypothesis.

Perhaps someone else can tell you exactly what this all means,
but my approach would be to get hold of some forensics tools
and check the machine over carefully.  Fport comes to mind
right away.  It can tell you what's connected to your machine
and to which port.  You can get started here ...

  http://www.foundstone.com
  http://www.treachery.net

... among other places.  Look in their "Tool" bins.

It's a good idea to have a kit of such tools on a read-only
CD in advance of an incident like this, so that you have
tools you know you can trust -- that haven't been trojanned
-- ready to use.  It's rather like the instructions in a
snake-bite kit.  You want to be familiar with them *before*
Mr. Snake has his way with you.

Another really good idea is a firewall.  ZoneAlarm and Sygate
have good reputations, but, again, one wants these up and
running *before* something bad happens.

I hope you have your data backed up, because I suspect that
you will may ultimately have to clean your hard drive and
re-install from scratch.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: