Re: System Hacked

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <20030822081441.61000.qmail () web10008 mail yahoo com>

Jai,

> Someone hacked my system.I have SMTP/POP3 running on
> Win XP and working on a LAN and have given permission
> that any one on my LAN can create account.

What application are you using?  Exchange?  Something else?

> Lastday someone created account and i got the message
> of new account creation and when i checked i found
> that he was trying mutiple SMTP connections TO&FROM
> fake id. i got his ip.

Created account?  Did you get notification from the
app, or from the Event Log?  What type of monitoring
are you doing?

These multiple connections could be relaying, as with a
worm.

> When i checked the logs from Eventviewer i found that
> Administrator loggedin twice from two different ip
> using the tlntsvr.exe service thts why i am thinking
> that the ip was fake.

If the IP is fake, or spoofed, the login wouldn't have
worked, unless routers had also been hacked.

> Is there any way i can find out how he got access and
> how he entered through tht SMTP port and the history
> tht wht he did on getting the cmd prompt or any other
> tracing trick.

If it's a remote hack, there might be some info on the
system, but to be honest, it isn't really clear what
happened.  And where you look depends on what you've
got running on the system.

Harlan

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------