Security Incidents mailing list archives
RE: They got me!!!
From: "Levenglick, Jeff" <JLevenglick () fhlbatl com>
Date: Thu, 6 Apr 2006 09:04:03 -0400
The one obvious place to start is with your kids. Assuming what you say is true, that your patched current on your os and firewall, then it Is possible that someone ran something before you left. (sounds like a root kit) Not sure if using tools to try to figure out what happened will Make much sense at this point. I would be more worried that someone may have files....ect from your harddisk. A long shot... 1) I'm assuming that you have a router setup. Check the logs to see what ports and ip's have come in through it during the time you were out. 2) Check with your isp. Some of them are helpful if you tell them you may have been hacked. You may be able to give them your current ip and Have them filter a log for that time frame. 3) Try running netstat -an and look for any odd outbound connections with strange ports. Then google or yahoo to find what it is. The biggest help will be finding the port in use or that was used. (and the ip) Most root kits/trojans will keep sending to a ip and port, you Can then find info on what it does. -----Original Message----- From: pentesticle () yahoo com [mailto:pentesticle () yahoo com] Sent: Wednesday, April 05, 2006 12:24 PM To: incidents () securityfocus com Subject: They got me!!! Hey list!!! My kids left their puter on while I was away on vacation and some loverly person managed to gain access to the puter. Unfortunately I was on vacation so had all of my systems off except the one the kids turned back on, so my sniffer was off as well. I don't know much from the forensics side of the house as I mainly perform audits and such, so was hoping I could get some insight as where to start and tools to use to find everything that was done to the computer. My AV software picked up a trojan, but figure it was after the fact and is still resident on the system. It almost appears that they accessed hotmail and picked up files from a mailbox. (sure wish my sniffer would have been on :( )The local Symantec firewall is being bypassed and most of the services won't start. Term Svcs among others has been set to manual but starts up automatically with Windows (I had it disabled before) and will not allow me to stop the service. I keep the system up to date with patches and AV signatures and use 25 char passwords with fingerprint scanners for the kids to use, so am not certain what they used to exploit, but given time anything can be broken. My fingerprint scanner doesn;t show any failed logon attempts while we were gone but the security logs show numerous failed attempts by all of the accounts so assuming they are trying to remotely access the PC. I'm thinking they gained access to the account that was currently logged in as it shows th at particular account's priviledges were escalated in the log files several times then shortly after it shows the system account making changes to the system. Anyway, if somone could recommend where to start and what tools I should use, I guess this will begin my forensics career and OJT... Much appreciated :) ----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
Current thread:
- Re: They got me!!!, (continued)
- Re: They got me!!! Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 05)
- Re: They got me!!! Dude VanWinkle (Apr 06)
- RE: They got me!!! lucretias (Apr 06)
- Re: They got me!!! Eliah Kagan (Apr 06)
- Re: They got me!!! Valdis . Kletnieks (Apr 06)
- RE: They got me!!! David Gillett (Apr 06)
- RE: They got me!!! Terry Vernon (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Jamie Riden (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Colin Copley (Apr 06)
- RE: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! john . fellers (Apr 06)
- Re: Re: They got me!!! pentesticle (Apr 06)
- RE: Re: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! Eliah Kagan (Apr 06)
- Re: They got me!!! Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 05)