Security Basics mailing list archives

AW: XP Box appears to be compromised

From: Meidinger Chris <chris.meidinger () badenit de>
Date: Thu, 7 Aug 2003 08:30:32 +0100

If that doesn't work, then download winlibpcap and ethereal, install, but on
hub with computer or switch span port
start ethereal
say 'start filtering' and use the filter string 'src host MY_IP or dst host
MY_IP' without apostrophe and replacing MY_IP with the IP address of the
machine
should have everything done in 30 minutes

the advantage of this approach is that you can save the network traffic. if
this thing escalates into an administrative action (firing, discipline,
etc.) you want to have that stuff recorded, and you want a second person who
can testify that person x was using ip y during the illegal movements.

badenIT GmbH
System Support
 
Chris Meidinger
Tullastrasse 70
79108 Freiburg

______________

Es gibt 10 arten von Menschen auf dem Planeten, 
welche die Binär verstehen, und welche die es nicht tun.



-----Ursprüngliche Nachricht-----
Von: chris [mailto:chris09 () linuxmail org]
Gesendet: Wednesday, August 06, 2003 8:40 PM
An: security-basics () securityfocus com
Betreff: Re: XP Box appears to be compromised


In-Reply-To:
<D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com>

Easiest way to do this is to open a prompt on the box and simply 
type "netstat -a"  if theres someone connected to the box it should point  
you right to their IP address. 

Chris

www.cr-secure.net

[205.206.231.19])

      by outgoing3.securityfocus.com (Postfix) with QMQP
      id DF73DA3163; Wed,  6 Aug 2003 12:18:42 -0600 (MDT)
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
Subject: XP Box appears to be compromised
MIME-Version: 1.0
Content-Type: text/plain;
      charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 6 Aug 2003 11:03:31 -0600
Message-ID:

<D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com>

X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: XP Box appears to be compromised
Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg==
From: "Gregory M. Brown" <gbrown () alvalearning com>
To: <security-basics () securityfocus com>

I've got an issue with what appears to be remote desktop management of
an XP box.  It's weird...

There are deliberate mouse movements on this box.  I'm assuming it's an
internal person doing this as our FW and Fortinet device will block any
remote seizing of a desktop.  I've disabled all the XP remote services,
and it continues to happen.  I could bust open packets with sniffer, but
there is a time constraint as the organization laid virtually all IT
people off.  Imagine that....

What should I be looking for?  I need to nail whoever is doing this.=20

Thanks for any help.

Greg B.

--------------------------------------------------------------------------

--------------------------------------------------------------------------

--


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

AW: XP Box appears to be compromised Meidinger Chris (Aug 07)