Security Incidents mailing list archives
RE: They got me!!!
From: lucretias <lucretias () shaw ca>
Date: Thu, 06 Apr 2006 08:17:30 -0600
I would disagree with all of Susan's assumptions. Why should you rebuild if your simply infected? How someone could also determine you have a rootkit installed with no analysis and the shakey details you posted I'm not certain either. Assuming it was bad surfing is also a bad assumption. It's highly likely that the infection was either from email or a downloaded and installed piece of software. A simple clean up would do the trick. First goal is to boot from trusted and secure medium with an up to date anti-virus and scan your PC for infection. Then clean the infections. I have yet to meet an infection I couldn't clean. My suggestion is if you have users that insist on using machines when your away set up Qemu and then when you come back, wipe the vm. Cheers, -----Original Message----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:sbradcpa () pacbell net] Sent: Wednesday, April 05, 2006 10:14 PM To: pentesticle () yahoo com Cc: incidents () securityfocus com Subject: Re: They got me!!! Before you do the proper thing and flatten it and reinstall from trusted sources..ask yourself your real intrusion points.... if the computer was merely "on", "people" should be able to get on the box without a. a backdoor implanted on their first probably by your teenagers surfing and downloading free software b. a vulnerability in an installed program c. a port/or way on to that box (what ports were open inbound from the Internet) I'm guessing your kids got nailed with malware/peer to peer trojans because they've been surfing places they shouldn't have. . CERTR/CC Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com/article2/0,1895,1945808,00.asp?kc=ewnws040406dtx1k00005 99 Help: I Got Hacked. Now What Do I Do? - Microsoft TechNet: Security Management Column: http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx Anti-Malware Engineering Team : News on Alcan, Mywife.E: http://blogs.technet.com/antimalware/archive/2006/04/03/424113.aspx If the kid had admin access and able to install anything.. 'that's how the critter got on the box. When teenagers are in the house, either have them with non admin access or plan on nuking and paving a machine on a regular basis that's set up just for them. pentesticle () yahoo com wrote:
Hey list!!! My kids left their puter on while I was away on vacation and some loverly person managed to gain access to the puter. Unfortunately I was on vacation so had all of my systems off except the one the kids turned back on, so my sniffer was off as well. I don't know much from the forensics side of the house as I mainly perform audits and such, so was hoping I could get some insight as where to
start and tools to use to find everything that was done to the computer. My AV software picked up a trojan, but figure it was after the fact and is still resident on the system. It almost appears that they accessed hotmail and picked up files from a mailbox. (sure wish my sniffer would have been on :( )The local Symantec firewall is being bypassed and most of the services won't start. Term Svcs among others has been set to manual but starts up automatically with Windows (I had it disabled before) and will not allow me to stop the service. I keep the system up to date with patches and AV signatures and use 25 char passwords with fingerprint scanners for the kids to use, so am not certain what they used
to
exploit, but given time anything can be broken. My fingerprint scanner doesn;t show any failed logon attempts while we were gone but the security logs show numerous failed attempts by all of the accounts so
assuming
they are trying to remotely access the PC. I'm thinking they gained access to the account that was currently logged in as it shows th at particular account's priviledges were escalated in the log files several times then shortly after it shows the system account making changes to the system. Anyway, if somone could recommend where to start and what tools I should use, I guess this will begin my forensics career and OJT... Much appreciated :)
-- Letting your vendors set your risk analysis these days? http://www.threatcode.com
Current thread:
- They got me!!! pentesticle (Apr 05)
- Re: They got me!!! Ivan . (Apr 05)
- Re: They got me!!! Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 05)
- Re: They got me!!! Dude VanWinkle (Apr 06)
- RE: They got me!!! lucretias (Apr 06)
- Re: They got me!!! Eliah Kagan (Apr 06)
- Re: They got me!!! Valdis . Kletnieks (Apr 06)
- RE: They got me!!! David Gillett (Apr 06)
- RE: They got me!!! Terry Vernon (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Jamie Riden (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Colin Copley (Apr 06)
- <Possible follow-ups>
- RE: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! john . fellers (Apr 06)
- Re: Re: They got me!!! pentesticle (Apr 06)
(Thread continues...)