RE: They got me!!!

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

The one obvious place to start is with your kids. Assuming what you say
is true, that your patched current on your os and firewall, then it
Is possible that someone ran something before you left. (sounds like a
root kit) Not sure if using tools to try to figure out what happened
will
Make much sense at this point. I would be more worried that someone may
have files....ect from your harddisk.

A long shot...

1) I'm assuming that you have a router setup. Check the logs to see what
ports and ip's have come in through it during the time you were out.
2) Check with your isp. Some of them are helpful if you tell them you
may have been hacked. You may be able to give them your current ip and
Have them filter a log for that time frame.

3) Try running netstat -an   and look for any odd outbound connections
with strange ports. Then google or yahoo to find what it is.

The biggest help will be finding the port in use or that was used. (and
the ip) Most root kits/trojans will keep sending to a ip and port, you
Can then find info on what it does.

-----Original Message-----
From: pentesticle () yahoo com [mailto:pentesticle () yahoo com] 
Sent: Wednesday, April 05, 2006 12:24 PM
To: incidents () securityfocus com
Subject: They got me!!!

Hey list!!!

My kids left their puter on while I was away on vacation and some
loverly person managed to gain access to the puter. Unfortunately I was
on vacation so had all of my systems off except the one the kids turned
back on, so my sniffer was off as well.

I don't know much from the forensics side of the house as I mainly
perform audits and such, so was hoping I could get some insight as where
to start and tools to use to find everything that was done to the
computer.

My AV software picked up a trojan, but figure it was after the fact and
is still resident on the system. It almost appears that they accessed
hotmail and picked up files from a mailbox. (sure wish my sniffer would
have been on :( )The local Symantec firewall is being bypassed and most
of the services won't start. Term Svcs among others has been set to
manual but starts up automatically with Windows (I had it disabled
before) and will not allow me to stop the service. I keep the system up
to date with patches and AV signatures and use 25 char passwords with
fingerprint scanners for the kids to use, so am not certain what they
used to exploit, but given time anything can be broken. My fingerprint
scanner doesn;t show any failed logon attempts while we were gone but
the security logs show numerous failed attempts by all of the accounts
so assuming they are trying to remotely access the PC. I'm thinking they
gained access to the account that was currently logged in as it shows th
at particular account's priviledges were escalated in the log files
several times then shortly after it shows the system account making
changes to the system.

Anyway, if somone could recommend where to start and what tools I should
use, I guess this will begin my forensics career and OJT...

Much appreciated :)


-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.