Security Incidents mailing list archives

Re: looking for help

From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 4 Nov 2003 12:32:37 -0800 (PST)

Joyce,

A couple of things that may narrow down the search
regarding this issue...

1.  What are the os(s) of the compromised machines?

2.  In order to narrow down the infection vector, you
may want to look at: (a) installed services such as
IIS, and their patch levels, (b) strength of
passwords, particularly the Administrator password,
(c) available shares, and (d) don't rule out physical
access to the system itself.

3.  Could you zip up all of the files associated with
this issue, particularly the .bat file, and provide a
link for download?  That way, anyone can analyze the
files themselves...this may simply be a variation on
other 'hacks'.

Look for additional comments inline...

The original breakin evidently occurred in June or
on July 1st.


What makes you say that?  What evidence can you point
to?

 A file
called "hax.bat" was placed on the victim machines,
and the scheduler was
set to invoke it.  Hax.bat was evidently invoked
late Oct. 4 or early Oct. 5


I'm assuming that you found the entry in the Task
Scheduler...what info let you to believe that it was
invoked on 4 or 5 Oct?

Activation
of the ftp service occurred on Oct. 15.


Would I be correct in assuming that you derived this
information from a log file of some sort?

If anyone has a clue about this, we
would appreciate any tidbit of information.


Not to put too fine a point on it, but what exactly
are you looking for?  I mean, admittedly you've
provided more info than most regarding this issue, but
it's still like trying a doctor trying to diagnose a
patient, with the symptoms being described by some one
unfamiliar with  medical terminology.  What is your
goal?  To determine the infection vector?  

Thanks,

Harlan


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

looking for help Joyce Looger (Nov 04)
- Re: looking for help Harlan Carvey (Nov 05)
- <Possible follow-ups>
- Re: looking for help tina helbig (Nov 05)
  - Re: looking for help Harlan Carvey (Nov 05)
- RE: looking for help Gilmore, Corey (DPC) (Nov 05)