RE: Re: They got me!!!

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

It is always nice to learn, but in a lab.

You need to keep in mind of the following:

1) rootkits,trojans..ect are put there by people with a lot more
knowledge then the average person. In most cases, you will never
Find the person.

2) You are dealing with your own box. Your info..ect is on that box, you
really do not want to play around with it, do you?

Without a sniffer or a honey box you will have a hard time trying to see
all the steps taken to get your box. 

I would suggest the following:

1) run   netstat -an and save the output.
2) remove the box from any networks
3) run  netstat -an and save it to another file.
4) compare the two files. Did something wake up or did something die?
5) look for strange ports. Check google to see what the port is known
for.
6) I know Zone Alarm can do this, I'm sure yours can. - set program
control to not allow anything to run without prompting you. Make sure
You erase any past access. Reboot the box and see what wants to run on
your box.

The above should get you some information to google. Usually you can
find out what the trojan/root kit does and how it is installed.

If nothing comes up, then someone might have run an exploit to connect
to your box and then got off. The only way to find out at this point is
To check your router logs. Look for multiple connects to ports from the
same ip. If your lucky you might see a scan with 50+ trys within one
minute.

If you still do not see anything, then assume something was run on the
pc first. You should see in the log file a connection going to an
outside ip on a strange port. Or one the keeps connecting each day to
the same ip...ect..
 

-----Original Message-----
From: pentesticle () yahoo com [mailto:pentesticle () yahoo com] 
Sent: Thursday, April 06, 2006 10:21 AM
To: incidents () securityfocus com
Subject: Re: Re: They got me!!!

Yes, I want to learn something from this so want to find out what/how
the access was obtained. I feel I have the computers as secure as
Microsoft allows (WinXP Pro). I check for patches regularly (weekly). I
have most built-in accounts disabled. The accounts all run at a regular
user priviledge. This particular machine does act as a print server for
my network, but I have anonymous access restricted and only allow
authenticated connections. I restrict remote admin access, but not sure
if it can be bypassed somehow. The kids do play the internet games and
surf the funny video sites and I do have a teen that check web mail, but
none of them are "supposed" to have access to install (ie regular user
account). I have software firewalls (Symantec) running on the machine
behind a Linksys router/firewall as my gateway. So far I haven't any
spyware on the box, only attempts, when I run my nightly scans and
review the logs files.

Since I didn't have my sniffer running at the time I really want to see
if I can find out what happened and how it happened. I'm somewhat
concern if my border device may possibly be compromised as well.
Unfortunately Linksys is pretty limited on the abilities to manage the
device. None of my other PC's on the network seem to show any indication
of compromise, but again this one in particular is slightly less secure
for the sharing of the printer.

Any additional information is much appreciated.

Thanks...

Hopefully I'll be able to put the pieces together.


-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.