Security Incidents mailing list archives
RE: I think I've been hacked...please help!
From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Tue, 09 Apr 2002 02:01:12 +0000
I would suggest this is a custom made trojan that is connecting to an irc server when a RAS connection is detected. Try using MSConfig to see if anything unusual is working, also try installing zone alarm for a check at what is accessing the network from that machine - available from www.zonelabs.com If someone is using a trojan it will be picked up using zone alarm even if it is custome made.
Hope my info helps... Peter Francis Owner/Operator -= KoRe WoRkS =- Internet Security http://www.koreworks.com/ Is your box REALLY secure?
From: "Arnold, Jamie" <harnold () binghamton edu> To: "'incidents () securityfocus com'" <incidents () securityfocus com> Subject: RE: I think I've been hacked...please help! Date: Mon, 8 Apr 2002 16:06:34 -0400 MIME-Version: 1.0Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id MHotMailBE7B7DDB007F400437144226971B95AA0; Mon, 08 Apr 2002 17:16:31 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid 0F214A31A4; Mon, 8 Apr 2002 14:12:25 -0600 (MDT)Received: (qmail 9906 invoked from network); 8 Apr 2002 20:04:21 -0000 From incidents-return-3136-koremeltdown Mon, 08 Apr 2002 17:17:06 -0700 Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus comMessage-ID: <4F7418FCE28AD211828A00A0C9D8B8DB08EB0985 () buexchange cc binghamton edu>X-Mailer: Internet Mail Service (5.5.2653.19) All: I have several machines that are using excessive bandwidth. Upon inspection, I find multiple connections to servers with names like irc.badguuy.com, etc... On 6667. Incoming connections are random although 1067 seems to be a common one. I have 4 instances of cmd.exe running and 2 of win.exe While it looks like Egghead, the reg entries aren't there nor the directories/files. These machines all had an account ID of Microsoft with admin privs on them. They don't connect to a domain and were setup by the department "tech" person who left them wide open. What is confusing to me is that one of them uses our Exchange server which is protected by Antigen (and I pull nearly every extension known to man) and McAffee on the desktop. I can't find anything that matches this. Anyone have any insight? Thanks J ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- I think I've been hacked...please help! Joe Warner (Mar 31)
- Re: I think I've been hacked...please help! Ryan Russell (Apr 01)
- Re: I think I've been hacked...please help! Crist J. Clark (Apr 01)
- Re: I think I've been hacked...please help! Hugo van der Kooij (Apr 01)
- Message not available
- Re: I think I've been hacked...please help! Joe Warner (Apr 01)
- <Possible follow-ups>
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 08)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Pepijn Vissers (Apr 09)
- RE: I think I've been hacked...please help! KoRe MeLtDoWn (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)