Re: XP Box appears to be compromised

[James Fields <jvfields () tds net>]

Put the sniffer on it - don't take the attitude that the sniffer is the
"hard" way or too time-consuming.  Slap ethereal or something similar
right on the box and capture the activity.  Even if you don't look at
all the packet details you'll get source and destination addresses and
port numbers which can be helpful.

Don't forget netstat to view active ports.  "Vision" from Foundstone
takes netstat a bit further, associating those ports to specific
executables / processes.

On Wed, 2003-08-06 at 13:03, Gregory M. Brown wrote:
> I've got an issue with what appears to be remote desktop management of
> an XP box.  It's weird...
>
> There are deliberate mouse movements on this box.  I'm assuming it's an
> internal person doing this as our FW and Fortinet device will block any
> remote seizing of a desktop.  I've disabled all the XP remote services,
> and it continues to happen.  I could bust open packets with sniffer, but
> there is a time constraint as the organization laid virtually all IT
> people off.  Imagine that....
>
> What should I be looking for?  I need to nail whoever is doing this. 
>
> Thanks for any help.
>
> Greg B.
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
-- 
James V. Fields


---------------------------------------------------------------------------
----------------------------------------------------------------------------