Security Incidents mailing list archives

Re: Suspicious file on Desktop

From: PAUL_TAYLOR () qvc com
Date: Mon, 10 Feb 2003 12:11:54 -0500


Have you made any DCC connections with those people at those times? That's
what it looks like.

Paul


                                                                                                                        
         
                      Patrick Fish                                                                                      
         
                      <patrick@pwhsnet.        To:       incidents () securityfocus com                                 
            
                      com>                     cc:       (bcc: PAUL TAYLOR/QVC)                                         
         
                      Ext: NA                  Subject:  Suspicious file on Desktop                                     
         
                                                                                                                        
         
                      02/10/2003 05:12                                                                                  
         
                      AM                                                                                                
         
                                                                                                                        
         
                                                                                                                        
         




Hi,

I've been trying to figure out why there is a "Startup.log" file on my
desktop. I've searched mail archives and google, but didn't find anything
about this. The file contains:

(Last octet of IP removed)
CONNECTION: [01/26/03 21:50 UTC] 62.163.176.xx
CONNECTION: [01/26/03 21:56 UTC] 67.192.41.xxx
CONNECTION: [01/26/03 22:01 UTC] 67.192.41.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:49 UTC] 80.194.40.xxx
CONNECTION: [02/06/03 09:06 UTC] 144.134.163.xx
CONNECTION: [02/06/03 09:11 UTC] 216.249.81.xx
CONNECTION: [02/06/03 09:46 UTC] 136.165.87.xxx
CONNECTION: [02/06/03 09:47 UTC] 211.28.63.xxx


After resolving a few of them, these are all people I know pretty well on
IRC. I can't figure out what's causing this - I don't use a mIRC script, I
don't have a firewall (XP firewall is disabled) -- I do have Norton 2003
Pro. I'm using Windows XP Pro on Service Pack 1a, but the file was created
before I installed SP1a

I've checked my process list, and there's nothing running that shouldn't
be.

Has anything seen something similar or know what's causing this?


Thanks.


--
Patrick Fish



----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Suspicious file on Desktop Patrick Fish (Feb 10)
- RE: Suspicious file on Desktop Eric Greenberg (Feb 10)
- RE: Suspicious file on Desktop Michael LaSalvia (Feb 10)
- RE: Suspicious file on Desktop Brenna Primrose (Feb 10)
- <Possible follow-ups>
- Re: Suspicious file on Desktop PAUL_TAYLOR (Feb 10)