Security Incidents mailing list archives
RE: I think I've been hacked...please help!
From: H C <keydet89 () yahoo com>
Date: Tue, 9 Apr 2002 03:44:30 -0700 (PDT)
Jaime, 1. Have you gathered detailed process information, such as using pslist.exe and listdlls.exe (from SysInternals), and pulist.exe (from the RK)? 2. Have you run netstat? Since you didn't specify which operating systems are running, I'll point out that only XP has the '-o' switch in netstat. 3. Have you run fport.exe from Foundstone, mapping the processes to open ports in netstat? 4. Have you collected any file info...last access times, etc? Something like the following command is a quick and dirty way of doing it: c:\>dir /s /ta /od c:\* 5. Have you collected or reviewed EventLogs (assuming we're talking about NT/2K here)? 6. Have you done any network-based packet captures? It seems to me that you might have a pretty significant incident on your hands...but you really haven't given us a whole lot of information to work with. For example, are these machines using publicly routable addresses? What's the patch level? What operating system is being used? What major apps are running (IIS, FTP, etc)? Of course, this may just be some "goodies" this other admin friend of yours (the "techie") left behind. I teach a course that walks admins such as yourself through how to deal with/handle situations like this. To be honest, if you have the time, I think these machines would be very interesting to work with...observe the activity on the systems, as well as the network, and see what these "bad guys" are up to. --- "Arnold, Jamie" <harnold () binghamton edu> wrote:
All: I have several machines that are using excessive bandwidth. Upon inspection, I find multiple connections to servers with names like irc.badguuy.com, etc... On 6667. Incoming connections are random although 1067 seems to be a common one. I have 4 instances of cmd.exe running and 2 of win.exe While it looks like Egghead, the reg entries aren't there nor the directories/files. These machines all had an account ID of Microsoft with admin privs on them. They don't connect to a domain and were setup by the department "tech" person who left them wide open. What is confusing to me is that one of them uses our Exchange server which is protected by Antigen (and I pull nearly every extension known to man) and McAffee on the desktop. I can't find anything that matches this. Anyone have any insight? Thanks J
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
__________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- I think I've been hacked...please help! Joe Warner (Mar 31)
- Re: I think I've been hacked...please help! Ryan Russell (Apr 01)
- Re: I think I've been hacked...please help! Crist J. Clark (Apr 01)
- Re: I think I've been hacked...please help! Hugo van der Kooij (Apr 01)
- Message not available
- Re: I think I've been hacked...please help! Joe Warner (Apr 01)
- <Possible follow-ups>
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 08)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Pepijn Vissers (Apr 09)
- RE: I think I've been hacked...please help! KoRe MeLtDoWn (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)
- RE: I think I've been hacked...please help! Arnold, Jamie (Apr 09)
- RE: I think I've been hacked...please help! H C (Apr 09)