Re: Strange Folder

[discipulus <rootman22 () attbi com>]

Thanks Neil,..



On Sun, 2002-10-06 at 10:11, Neil Dickey wrote:
> discipulus <rootman22 () attbi com> wrote asking:
>
> > The other day I noticed a strange folder had been created
> > on my W2K Pro machine at work.
>
> [ ... ]
>
> > Has my account/PC been compromised?
>
> That would be a strong first working hypothesis.

One thing I do know for sure, someone who didn't previously
have permission to do so, gained access to my computer.  Folders
just don't show up mysteriously in C:\Documents and Settings\
unless someone logs in.

> Perhaps someone else can tell you exactly what this all means,
> but my approach would be to get hold of some forensics tools
> and check the machine over carefully.  Fport comes to mind
> right away.  It can tell you what's connected to your machine
> and to which port.  You can get started here ...
>
>   http://www.foundstone.com
>   http://www.treachery.net
>
> ... among other places.  Look in their "Tool" bins.

Thanks, I'll check those out.  I do have a similar utility that
I run from time to time that shows connections in real time and
their associated ports.  I can't remember the name of it at the
moment.


> It's a good idea to have a kit of such tools on a read-only
> CD in advance of an incident like this, so that you have
> tools you know you can trust -- that haven't been trojanned
> -- ready to use.  It's rather like the instructions in a
> snake-bite kit.  You want to be familiar with them *before*
> Mr. Snake has his way with you.

Yes, this makes sense.

> Another really good idea is a firewall.  ZoneAlarm and Sygate
> have good reputations, but, again, one wants these up and
> running *before* something bad happens.

I had previously considered using ZoneAlarm but wouldn't this
cause problems with my LAN/WAN connectivity?

> I hope you have your data backed up, because I suspect that
> you will may ultimately have to clean your hard drive and
> re-install from scratch.

Yes, I have access to Ghost images that will aid with that
if required.

My gut tells me that this person didn't have malicious intent and
was using my computer as a medium for vulnerability testing. 
Unfortunately, the person didn't obtain my permission to do so or
didn't notify me afterward.  So, even though the intent was not
malicious, it's still an intrusion nonetheless.  If one wishes to
test for vulnerabilities, he/she does it on their own computer or
on one that isn't being used by anyone else.

Anyway, that's my logic.

Thanks for your help.

> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
-- 
"The Computer made me do it."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com