Security Basics mailing list archives

RE: XP Box appears to be compromised

From: "Sean MacLeod" <sean () security homeunix org>
Date: Thu, 7 Aug 2003 18:22:32 -0700

Most likely it is dame ware www.dameware.com and you will find this as a
staple in most of the win32 rootkits these days. This is a great remote
administration tool that can be installed quietly and runs without end
user knowledge, it can also be used to view and take control of a box,
installation is very easy given either a simple or non-existent password
or an exploit (say Dcom for example). Most of the ones I have seen have
not been modified so in the task manager look for a process called
dwrcs.exe.

Also try going to a command prompt and running netstat -ano | more

Then match the process id to the process in the task manager.



-----Original Message-----
From: JM [mailto:jamesmcgeeiom () onetel net uk] 
Sent: Thursday, August 07, 2003 3:36 AM
To: gbrown () alvalearning com; security-basics () securityfocus com
Subject: RE: XP Box appears to be compromised

My understanding of RDP is that you establish a "new" 
session on the box.

So I don't think that is your culprit.  Check the system out 
for viruses, and Trojans.  Run a port scan against it.  Try 
a new AV solution.

Checkout Languard's scanner, you can get a free eval of it, 
but it is also worth buying.

Have you tried changing the mouse?

Cheers

JM


-----Original Message-----
From: Gregory M. Brown [mailto:gbrown () alvalearning com] 
Sent: 06 August 2003 17:04
To: security-basics () securityfocus com
Subject: XP Box appears to be compromised

I've got an issue with what appears to be remote desktop 
management of
an XP box.  It's weird...

There are deliberate mouse movements on this box.  I'm 
assuming it's an
internal person doing this as our FW and Fortinet device 
will block any
remote seizing of a desktop.  I've disabled all the XP 
remote services,
and it continues to happen.  I could bust open packets with 
sniffer, but
there is a time constraint as the organization laid 
virtually all IT
people off.  Imagine that....

What should I be looking for?  I need to nail whoever is 
doing this. 

Thanks for any help.

Greg B.



-------------------------------------------------------------
--------------
-------------------------------------------------------------
---------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

XP Box appears to be compromised Gregory M. Brown (Aug 06)
- Re: XP Box appears to be compromised James Fields (Aug 07)
- <Possible follow-ups>
- Re: XP Box appears to be compromised chris (Aug 06)
  - RE: XP Box appears to be compromised Paul Farag (Aug 07)
- RE: XP Box appears to be compromised JM (Aug 07)
  - RE: XP Box appears to be compromised Sean MacLeod (Aug 08)