Security Incidents mailing list archives
Re: looking for help
From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 4 Nov 2003 12:32:37 -0800 (PST)
Joyce, A couple of things that may narrow down the search regarding this issue... 1. What are the os(s) of the compromised machines? 2. In order to narrow down the infection vector, you may want to look at: (a) installed services such as IIS, and their patch levels, (b) strength of passwords, particularly the Administrator password, (c) available shares, and (d) don't rule out physical access to the system itself. 3. Could you zip up all of the files associated with this issue, particularly the .bat file, and provide a link for download? That way, anyone can analyze the files themselves...this may simply be a variation on other 'hacks'. Look for additional comments inline...
The original breakin evidently occurred in June or on July 1st.
What makes you say that? What evidence can you point to?
A file called "hax.bat" was placed on the victim machines, and the scheduler was set to invoke it. Hax.bat was evidently invoked late Oct. 4 or early Oct. 5
I'm assuming that you found the entry in the Task Scheduler...what info let you to believe that it was invoked on 4 or 5 Oct?
Activation of the ftp service occurred on Oct. 15.
Would I be correct in assuming that you derived this information from a log file of some sort?
If anyone has a clue about this, we would appreciate any tidbit of information.
Not to put too fine a point on it, but what exactly are you looking for? I mean, admittedly you've provided more info than most regarding this issue, but it's still like trying a doctor trying to diagnose a patient, with the symptoms being described by some one unfamiliar with medical terminology. What is your goal? To determine the infection vector? Thanks, Harlan --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- looking for help Joyce Looger (Nov 04)
- Re: looking for help Harlan Carvey (Nov 05)
- <Possible follow-ups>
- Re: looking for help tina helbig (Nov 05)
- Re: looking for help Harlan Carvey (Nov 05)
- RE: looking for help Gilmore, Corey (DPC) (Nov 05)