RE: I think I've been hacked...please help!

["KoRe MeLtDoWn" <koremeltdown () hotmail com>]

I would suggest this is a custom made trojan that is connecting to an irc 
server when a RAS connection is detected.
Try using MSConfig to see if anything unusual is working, also try 
installing zone alarm for a check at what is accessing the network from that 
machine - available from www.zonelabs.com
If someone is using a trojan it will be picked up using zone alarm even if 
it is custome made.
Hope my info helps...

Peter Francis

Owner/Operator
-= KoRe WoRkS =- Internet Security
http://www.koreworks.com/

Is your box REALLY secure?


> From: "Arnold, Jamie" <harnold () binghamton edu>
> To: "'incidents () securityfocus com'" <incidents () securityfocus com>
> Subject: RE: I think I've been hacked...please help!
> Date: Mon, 8 Apr 2002 16:06:34 -0400
> MIME-Version: 1.0
> Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id 
> MHotMailBE7B7DDB007F400437144226971B95AA0; Mon, 08 Apr 2002 17:16:31 -0700
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid 
> 0F214A31A4; Mon,  8 Apr 2002 14:12:25 -0600 (MDT)
> Received: (qmail 9906 invoked from network); 8 Apr 2002 20:04:21 -0000
> From incidents-return-3136-koremeltdown Mon, 08 Apr 2002 17:17:06 -0700
> Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
> List-Help: <mailto:incidents-help () securityfocus com>
> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
> Delivered-To: mailing list incidents () securityfocus com
> Delivered-To: moderator for incidents () securityfocus com
> Message-ID: 
> <4F7418FCE28AD211828A00A0C9D8B8DB08EB0985 () buexchange cc binghamton edu>
> X-Mailer: Internet Mail Service (5.5.2653.19)
>
> All:
>
> I have several machines that are using excessive bandwidth.  Upon
> inspection, I find multiple connections to servers with names like
> irc.badguuy.com, etc... On 6667.  Incoming connections are random although
> 1067 seems to be a common one.  I have 4 instances of cmd.exe running and 2
> of win.exe  While it looks like Egghead, the reg entries aren't there nor
> the directories/files.  These machines all had an account ID of Microsoft
> with admin privs on them.  They don't connect to a domain and were setup by
> the department "tech" person who left them wide open.  What is confusing to
> me is that one of them uses our Exchange server which is protected by
> Antigen (and I pull nearly every extension known to man) and McAffee on the
> desktop.  I can't find anything that matches this. Anyone have any insight?
>
> Thanks
>
> J
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com