Security Incidents mailing list archives
RE: Re: They got me!!!
From: "Levenglick, Jeff" <JLevenglick () fhlbatl com>
Date: Thu, 6 Apr 2006 12:30:40 -0400
It is always nice to learn, but in a lab. You need to keep in mind of the following: 1) rootkits,trojans..ect are put there by people with a lot more knowledge then the average person. In most cases, you will never Find the person. 2) You are dealing with your own box. Your info..ect is on that box, you really do not want to play around with it, do you? Without a sniffer or a honey box you will have a hard time trying to see all the steps taken to get your box. I would suggest the following: 1) run netstat -an and save the output. 2) remove the box from any networks 3) run netstat -an and save it to another file. 4) compare the two files. Did something wake up or did something die? 5) look for strange ports. Check google to see what the port is known for. 6) I know Zone Alarm can do this, I'm sure yours can. - set program control to not allow anything to run without prompting you. Make sure You erase any past access. Reboot the box and see what wants to run on your box. The above should get you some information to google. Usually you can find out what the trojan/root kit does and how it is installed. If nothing comes up, then someone might have run an exploit to connect to your box and then got off. The only way to find out at this point is To check your router logs. Look for multiple connects to ports from the same ip. If your lucky you might see a scan with 50+ trys within one minute. If you still do not see anything, then assume something was run on the pc first. You should see in the log file a connection going to an outside ip on a strange port. Or one the keeps connecting each day to the same ip...ect.. -----Original Message----- From: pentesticle () yahoo com [mailto:pentesticle () yahoo com] Sent: Thursday, April 06, 2006 10:21 AM To: incidents () securityfocus com Subject: Re: Re: They got me!!! Yes, I want to learn something from this so want to find out what/how the access was obtained. I feel I have the computers as secure as Microsoft allows (WinXP Pro). I check for patches regularly (weekly). I have most built-in accounts disabled. The accounts all run at a regular user priviledge. This particular machine does act as a print server for my network, but I have anonymous access restricted and only allow authenticated connections. I restrict remote admin access, but not sure if it can be bypassed somehow. The kids do play the internet games and surf the funny video sites and I do have a teen that check web mail, but none of them are "supposed" to have access to install (ie regular user account). I have software firewalls (Symantec) running on the machine behind a Linksys router/firewall as my gateway. So far I haven't any spyware on the box, only attempts, when I run my nightly scans and review the logs files. Since I didn't have my sniffer running at the time I really want to see if I can find out what happened and how it happened. I'm somewhat concern if my border device may possibly be compromised as well. Unfortunately Linksys is pretty limited on the abilities to manage the device. None of my other PC's on the network seem to show any indication of compromise, but again this one in particular is slightly less secure for the sharing of the printer. Any additional information is much appreciated. Thanks... Hopefully I'll be able to put the pieces together. ----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
Current thread:
- Re: They got me!!!, (continued)
- Re: They got me!!! Eliah Kagan (Apr 06)
- Re: They got me!!! Valdis . Kletnieks (Apr 06)
- RE: They got me!!! David Gillett (Apr 06)
- RE: They got me!!! Terry Vernon (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Jamie Riden (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Colin Copley (Apr 06)
- RE: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! john . fellers (Apr 06)
- Re: Re: They got me!!! pentesticle (Apr 06)
- RE: Re: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! Eliah Kagan (Apr 06)